remcos | 821c137ee343264e8c8c30161091cd61d63069371e4f6cb2c7131ed930426b5e

Analysis

max time kernel
89s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
23-03-2023 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe
Size

1023.9MB
MD5

9d702008371d20fdd562bcda16e5980c
SHA1

2cdd65d525020bb353d7e53d8a1ee61263985849
SHA256

c53c37ade6c06b4813220a9e776b0b45e45e6eeffd2a09f6b633eef45868abdd
SHA512

ebdcc4d65fd92b5ff773f77ca689b8aa4e0d0366211b432a85ca0db652000ba9d4a215b99173ab884f8a8b35c1ac5182c48ef2a91ab908915b3ad06a5c0abf90
SSDEEP

12288:Of0zcQzKT8oQo2p2vS0gALQN58cPD8f6r0OU2yJI0FSJr1rziqLcyFxfp:OqKQN/p2vSNycPgs0OU2yJpFSTWexh

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

marlonloperalora09.con-ip.com:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-L3LNUT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exeAppData.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	AppData.exe

Executes dropped EXE 1 IoCs

Processes:

AppData.exe

pid process

3344 AppData.exe

pid	process
3344	AppData.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exeAppData.exe

description	pid	process	target process
PID 1768 set thread context of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 3344 set thread context of 4360	3344	AppData.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3780 1360 WerFault.exe csc.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3728 schtasks.exe
5088 schtasks.exe
3052 schtasks.exe
932 schtasks.exe
4960 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2444 powershell.exe
2444 powershell.exe
4412 powershell.exe
4412 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2444 powershell.exe
Token: SeDebugPrivilege 4412 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csc.exe

pid process

4360 csc.exe

pid	pid_target	process	target process
3780	1360	WerFault.exe	csc.exe

pid	process
3728	schtasks.exe
5088	schtasks.exe
3052	schtasks.exe
932	schtasks.exe
4960	schtasks.exe

pid	process
2444	powershell.exe
2444	powershell.exe
4412	powershell.exe
4412	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe

pid	process
4360	csc.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.execmd.exeAppData.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 632	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	cmd.exe
PID 1768 wrote to memory of 632	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	cmd.exe
PID 1768 wrote to memory of 632	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	cmd.exe
PID 1768 wrote to memory of 4152	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	cmd.exe
PID 1768 wrote to memory of 4152	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	cmd.exe
PID 1768 wrote to memory of 4152	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	cmd.exe
PID 632 wrote to memory of 3728	632	cmd.exe	schtasks.exe
PID 632 wrote to memory of 3728	632	cmd.exe	schtasks.exe
PID 632 wrote to memory of 3728	632	cmd.exe	schtasks.exe
PID 1768 wrote to memory of 2444	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	powershell.exe
PID 1768 wrote to memory of 2444	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	powershell.exe
PID 1768 wrote to memory of 2444	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	powershell.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 1768 wrote to memory of 1360	1768	PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe	csc.exe
PID 3344 wrote to memory of 1392	3344	AppData.exe	cmd.exe
PID 3344 wrote to memory of 1392	3344	AppData.exe	cmd.exe
PID 3344 wrote to memory of 1392	3344	AppData.exe	cmd.exe
PID 3344 wrote to memory of 4456	3344	AppData.exe	cmd.exe
PID 3344 wrote to memory of 4456	3344	AppData.exe	cmd.exe
PID 3344 wrote to memory of 4456	3344	AppData.exe	cmd.exe
PID 1392 wrote to memory of 5088	1392	cmd.exe	schtasks.exe
PID 1392 wrote to memory of 5088	1392	cmd.exe	schtasks.exe
PID 1392 wrote to memory of 5088	1392	cmd.exe	schtasks.exe
PID 3344 wrote to memory of 4412	3344	AppData.exe	powershell.exe
PID 3344 wrote to memory of 4412	3344	AppData.exe	powershell.exe
PID 3344 wrote to memory of 4412	3344	AppData.exe	powershell.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe
PID 3344 wrote to memory of 4360	3344	AppData.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe
"C:\Users\Admin\AppData\Local\Temp\PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3728

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
2⤵
PID:4152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 508
3⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1360 -ip 1360
1⤵
PID:4824

C:\Users\Admin\AppData\Roaming\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5088

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
2⤵
PID:4456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Users\Admin\AppData\Roaming\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData.exe
1⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
2⤵
PID:3340

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3052

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
2⤵
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
2⤵
PID:884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:1624

C:\Users\Admin\AppData\Roaming\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData.exe
1⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
2⤵
PID:4540

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
2⤵
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
2⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:1212

C:\Users\Admin\AppData\Roaming\AppData.exe
C:\Users\Admin\AppData\Roaming\AppData.exe
1⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
2⤵
PID:4156

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4960

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
2⤵
PID:3448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
2⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
dec109a6a6c18963d6335caedcb81da4

SHA1
0594a9b6ed7c2a5d3efbbcc1bc805b6ccfcd3fbf

SHA256
84df03630fe85abdb785bbecc67ee94a3be163bdbbf4335e934e2a2eae06af30

SHA512
9c4216985f23495f07282a5caf63261f7406368c776e4dddc300edcba8981b0c899d8cb70c717b35129dedea9dff417de97d26f877cf76e447631566be16cc11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppData.exe.log
Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
ebfc5eeb5a8cbfa6a29e216bbb6af53b

SHA1
12740dd9c48a135aa5ad98386eba334417347345

SHA256
3bd3113ad80ee09b9fa4a9882f8966533e790588d00afc09d02e85fe7c382602

SHA512
776f0e813a7e16aa27c80d6ba22759985fbf6c61c2970db630b8b7bcf1361cf78289c9a2977b13282093e6bf16ad369768680b28ad6c9a6a8ab20fb1b7e36a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
0e796ec85a5bd1d44e1bd6ef81a01cf0

SHA1
a6bd980faf684cae70fb3ac914503d3278f2904f

SHA256
80884971434c9601f938f0a8dd3a587870b802efbfdb9af84b671d75996c85fc

SHA512
2b744f386d263de4cbec65e51ee7b4ef2a68b2d980a0fca3eb030c9c585720e8814a7892d9f98ba0b0aa40e5ea02f786bfb17635c86a4c73d172d600a066a8c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
243235303a25ae776fbca11f26319cca

SHA1
e423d332e58fb612d5ec96b022b108fb81e1796f

SHA256
4a4f5a8772ffb55e2e55e1937c86e1f307b1bb2d4566fa4ed44be5456e4fc953

SHA512
2e47eda32a7e2a8f1b362ec995972d30dbe5b9cf858f7b7bcf221863a2a41926dde4caebd1d1dbf99d97aa72cb1a9e7dba289a57d3efa2b14e6664c4f97a5478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
84a6f0eaf7349f64c6634a97123fca85

SHA1
eb33d1a599f8ae81a9a8b0be0ff91933f62c32c9

SHA256
4bfc3ea954cc4d3c7a095e6cdeb84347abf2a4f50d5403353ca6d9097ff7e87d

SHA512
31735226a09c4c2ccc42b17e8fcf7ac7964b2cb57cb21e2266a8fdb18455dc35964d51541ec175ed598bfe908760c08ea1eb80fd6cfea643f201182dadb34290

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kwtao4ey.zys.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe
Filesize
930.3MB

MD5
f76084386ffd554329519c35f71c3232

SHA1
d80057572425df714fc7470007bd0f037576bc7c

SHA256
743b22abb94a3013abecf05b58bdb622a5a1cd4108158c36d075274ae3104cda

SHA512
3348e1480f4ac0424ceaf25b1905441a24ea2d68289a6057320037baf864c206fe0129ec0a1bc3b1fd08ad305cb5a40556ba8938740cb86ced8b549877ecd4fb

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe
Filesize
939.6MB

MD5
37fd602d1e2ce63fa7ec2487ba43a832

SHA1
75e41aaf838313fb0a0d827d9acf67314f73fc51

SHA256
52841398811ff3c2df8718d9787a5b1b30be0210d4d8c03f43edd80d89e9047f

SHA512
b49a209dd528bbd10159bb901955449cac003ec1436522e0d3f53f24c61272baed2db75d3b3132bdf096eb034f685f2f92b4e0e59765a68ebcbe114d455e09e6

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe
Filesize
595.1MB

MD5
1fcc19aa41b27040662d28e9297a1db3

SHA1
4758e4010d7671d054f26d40e4f2e28f316594dd

SHA256
43e5cf797edb00f99763d1edfd6c4ae5559db34a7a5aa507822d4b188334bf9f

SHA512
5b47e5aac3338b8adc8fb797bfcbda7bda89734ab8345edb53712e0ee163e0237a4d5302324625b4429f0327e4bafa082cb62e6508d8ccc0ebab6e6f37c09853

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe
Filesize
322.1MB

MD5
9e8bc420890e0c255ee63cd3a70a26d9

SHA1
7678b32e3c6ac1bc6398b5a3ed12e58789586a88

SHA256
5d8276ea9339ea6f5ec3c37e0c80b15870b9c2f7ba676f09e422b9ae0fe7ddf1

SHA512
2222ae91e0e80278df31b1c0cbc65d020ecc1d368821f736cf10b7451749c5b9b732d3af1042f89ce6a6124d53c806f2f05f3915dd47c0a4a69189ddc052ef04

Download Submit
C:\Users\Admin\AppData\Roaming\AppData.exe
Filesize
153.9MB

MD5
c3e8bc14b36fe0985c6e2672b066571e

SHA1
57c106a09c911b3ebbf9099683496b405cac61d3

SHA256
72f37674fd247f2a44ef67d7069a608fddb03d27280f3d4c267270775f825c2f

SHA512
f0b3b0d595dd3d371b757c41219897717c1712f0d139eb98362023bc0aef39c7e14c3f03f1c384bde07fa770b0a0c97b90fe709d337b17afc8d8d7d01a58dd41

Download Submit
memory/884-260-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/884-282-0x000000007F9A0000-0x000000007F9B0000-memory.dmp

Filesize
64KB

Download
memory/884-281-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/884-271-0x0000000072560000-0x00000000725AC000-memory.dmp

Filesize
304KB

Download
memory/884-259-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download
memory/1212-301-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1212-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1212-302-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1360-154-0x00000000006A0000-0x000000000071F000-memory.dmp

Filesize
508KB

Download
memory/1360-146-0x00000000006A0000-0x000000000071F000-memory.dmp

Filesize
508KB

Download
memory/1360-140-0x00000000006A0000-0x000000000071F000-memory.dmp

Filesize
508KB

Download
memory/1468-344-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1468-345-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1468-343-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1624-257-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1624-256-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1624-258-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1768-133-0x0000000000D70000-0x0000000000E02000-memory.dmp

Filesize
584KB

Download
memory/1768-135-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/1768-134-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/2444-186-0x000000007F9F0000-0x000000007FA00000-memory.dmp

Filesize
64KB

Download
memory/2444-157-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/2444-193-0x0000000007860000-0x000000000787A000-memory.dmp

Filesize
104KB

Download
memory/2444-187-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/2444-138-0x0000000002A20000-0x0000000002A56000-memory.dmp

Filesize
216KB

Download
memory/2444-151-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2444-152-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2444-153-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/2444-188-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/2444-155-0x0000000004F40000-0x0000000004FC2000-memory.dmp

Filesize
520KB

Download
memory/2444-194-0x0000000007850000-0x0000000007858000-memory.dmp

Filesize
32KB

Download
memory/2444-192-0x00000000075D0000-0x00000000075DE000-memory.dmp

Filesize
56KB

Download
memory/2444-156-0x0000000004FF0000-0x0000000005012000-memory.dmp

Filesize
136KB

Download
memory/2444-185-0x00000000073A0000-0x00000000073BE000-memory.dmp

Filesize
120KB

Download
memory/2444-158-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/2444-168-0x0000000005F80000-0x0000000005F90000-memory.dmp

Filesize
64KB

Download
memory/2444-169-0x00000000060B0000-0x00000000061B2000-memory.dmp

Filesize
1.0MB

Download
memory/2444-170-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/2444-171-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2444-172-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2444-173-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2444-191-0x00000000078A0000-0x0000000007936000-memory.dmp

Filesize
600KB

Download
memory/2444-174-0x00000000073C0000-0x00000000073F2000-memory.dmp

Filesize
200KB

Download
memory/2444-175-0x000000006F7D0000-0x000000006F81C000-memory.dmp

Filesize
304KB

Download
memory/2444-190-0x00000000077B0000-0x00000000077FA000-memory.dmp

Filesize
296KB

Download
memory/2444-189-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/3700-340-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/3700-376-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/4064-324-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4064-313-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4064-325-0x000000007F850000-0x000000007F860000-memory.dmp

Filesize
64KB

Download
memory/4064-314-0x00000000721D0000-0x000000007221C000-memory.dmp

Filesize
304KB

Download
memory/4176-369-0x000000007F430000-0x000000007F440000-memory.dmp

Filesize
64KB

Download
memory/4176-368-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4176-358-0x0000000072110000-0x000000007215C000-memory.dmp

Filesize
304KB

Download
memory/4176-357-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4176-356-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4360-296-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-337-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-202-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-372-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-224-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-223-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-222-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-252-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-289-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-251-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-287-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-332-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-333-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-295-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-245-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-211-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-208-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-207-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-204-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-203-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-244-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4360-242-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4412-238-0x000000007F430000-0x000000007F440000-memory.dmp

Filesize
64KB

Download
memory/4412-210-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4412-209-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4412-227-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4412-228-0x000000006FCA0000-0x000000006FCEC000-memory.dmp

Filesize
304KB

Download