remcos | 5299caa8131b3b21fb96123e8b9d0ce675bfa5287df1e0703e192e5087e40591

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20210408
submitted
05-05-2021 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COVID 19 IVN AND CREW LIST.xlsx
Size

628KB
MD5

c64491aa41027a5b0df3658bbc85ae47
SHA1

dee8920d1755a26544f73cfbc66a0abb9aca7670
SHA256

5299caa8131b3b21fb96123e8b9d0ce675bfa5287df1e0703e192e5087e40591
SHA512

f70e1efab4dff9f781b7a7312cb144d8f10a5691d4b560d0b5f77a96d3d33ce66f264a7f32e061a60bfe19cfe7c74ee1974e3f1d35ffc8807b05fb7614b279a9

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 852 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

DJK.exeDJK.exewin.exewin.exewin.exe

pid process

1516 DJK.exe
1580 DJK.exe
1524 win.exe
1572 win.exe
1320 win.exe
Loads dropped DLL 7 IoCs

Processes:

EQNEDT32.EXEWerFault.execmd.exe

pid process

852 EQNEDT32.EXE
564 WerFault.exe
564 WerFault.exe
564 WerFault.exe
564 WerFault.exe
1492 cmd.exe
564 WerFault.exe

flow	pid	process
3	852	EQNEDT32.EXE

pid	process
852	EQNEDT32.EXE
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
1492	cmd.exe
564	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

win.exeDJK.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	win.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	win.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	DJK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	DJK.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

Processes:

DJK.exewin.exe

pid	process
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DJK.exewin.exe

description pid process target process

PID 1516 set thread context of 1580 1516 DJK.exe DJK.exe
PID 1524 set thread context of 1320 1524 win.exe win.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

564 1516 WerFault.exe DJK.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1324 timeout.exe
1676 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

852 EQNEDT32.EXE

description	pid	process	target process
PID 1516 set thread context of 1580	1516	DJK.exe	DJK.exe
PID 1524 set thread context of 1320	1524	win.exe	win.exe

pid	pid_target	process	target process
564	1516	WerFault.exe	DJK.exe

pid	process
1324	timeout.exe
1676	timeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
852	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

684 EXCEL.EXE

pid	process
684	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DJK.exeWerFault.exewin.exe

pid	process
1516	DJK.exe
1516	DJK.exe
1516	DJK.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe
1524	win.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

win.exe

pid process

1320 win.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DJK.exeWerFault.exewin.exe

description pid process

Token: SeDebugPrivilege 1516 DJK.exe
Token: SeDebugPrivilege 564 WerFault.exe
Token: SeDebugPrivilege 1524 win.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXEwin.exe

pid process

684 EXCEL.EXE
684 EXCEL.EXE
684 EXCEL.EXE
1320 win.exe
684 EXCEL.EXE
684 EXCEL.EXE

pid	process
1320	win.exe

description	pid	process
Token: SeDebugPrivilege	1516	DJK.exe
Token: SeDebugPrivilege	564	WerFault.exe
Token: SeDebugPrivilege	1524	win.exe

pid	process
684	EXCEL.EXE
684	EXCEL.EXE
684	EXCEL.EXE
1320	win.exe
684	EXCEL.EXE
684	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEEXCEL.EXEDJK.execmd.exeDJK.exeWScript.execmd.exewin.execmd.exe

description	pid	process	target process
PID 852 wrote to memory of 1516	852	EQNEDT32.EXE	DJK.exe
PID 852 wrote to memory of 1516	852	EQNEDT32.EXE	DJK.exe
PID 852 wrote to memory of 1516	852	EQNEDT32.EXE	DJK.exe
PID 852 wrote to memory of 1516	852	EQNEDT32.EXE	DJK.exe
PID 684 wrote to memory of 1476	684	EXCEL.EXE	splwow64.exe
PID 684 wrote to memory of 1476	684	EXCEL.EXE	splwow64.exe
PID 684 wrote to memory of 1476	684	EXCEL.EXE	splwow64.exe
PID 684 wrote to memory of 1476	684	EXCEL.EXE	splwow64.exe
PID 1516 wrote to memory of 1104	1516	DJK.exe	cmd.exe
PID 1516 wrote to memory of 1104	1516	DJK.exe	cmd.exe
PID 1516 wrote to memory of 1104	1516	DJK.exe	cmd.exe
PID 1516 wrote to memory of 1104	1516	DJK.exe	cmd.exe
PID 1104 wrote to memory of 1324	1104	cmd.exe	timeout.exe
PID 1104 wrote to memory of 1324	1104	cmd.exe	timeout.exe
PID 1104 wrote to memory of 1324	1104	cmd.exe	timeout.exe
PID 1104 wrote to memory of 1324	1104	cmd.exe	timeout.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1516 wrote to memory of 1580	1516	DJK.exe	DJK.exe
PID 1580 wrote to memory of 1604	1580	DJK.exe	WScript.exe
PID 1580 wrote to memory of 1604	1580	DJK.exe	WScript.exe
PID 1580 wrote to memory of 1604	1580	DJK.exe	WScript.exe
PID 1580 wrote to memory of 1604	1580	DJK.exe	WScript.exe
PID 1516 wrote to memory of 564	1516	DJK.exe	WerFault.exe
PID 1516 wrote to memory of 564	1516	DJK.exe	WerFault.exe
PID 1516 wrote to memory of 564	1516	DJK.exe	WerFault.exe
PID 1516 wrote to memory of 564	1516	DJK.exe	WerFault.exe
PID 1604 wrote to memory of 1492	1604	WScript.exe	cmd.exe
PID 1604 wrote to memory of 1492	1604	WScript.exe	cmd.exe
PID 1604 wrote to memory of 1492	1604	WScript.exe	cmd.exe
PID 1604 wrote to memory of 1492	1604	WScript.exe	cmd.exe
PID 1492 wrote to memory of 1524	1492	cmd.exe	win.exe
PID 1492 wrote to memory of 1524	1492	cmd.exe	win.exe
PID 1492 wrote to memory of 1524	1492	cmd.exe	win.exe
PID 1492 wrote to memory of 1524	1492	cmd.exe	win.exe
PID 1524 wrote to memory of 316	1524	win.exe	cmd.exe
PID 1524 wrote to memory of 316	1524	win.exe	cmd.exe
PID 1524 wrote to memory of 316	1524	win.exe	cmd.exe
PID 1524 wrote to memory of 316	1524	win.exe	cmd.exe
PID 316 wrote to memory of 1676	316	cmd.exe	timeout.exe
PID 316 wrote to memory of 1676	316	cmd.exe	timeout.exe
PID 316 wrote to memory of 1676	316	cmd.exe	timeout.exe
PID 316 wrote to memory of 1676	316	cmd.exe	timeout.exe
PID 1524 wrote to memory of 1572	1524	win.exe	win.exe
PID 1524 wrote to memory of 1572	1524	win.exe	win.exe
PID 1524 wrote to memory of 1572	1524	win.exe	win.exe
PID 1524 wrote to memory of 1572	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe
PID 1524 wrote to memory of 1320	1524	win.exe	win.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\COVID 19 IVN AND CREW LIST.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1476

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Roaming\DJK.exe
"C:\Users\Admin\AppData\Roaming\DJK.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1324

C:\Users\Admin\AppData\Roaming\DJK.exe
"C:\Users\Admin\AppData\Roaming\DJK.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\win.exe
C:\Users\Admin\AppData\Roaming\win.exe
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
7⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\timeout.exe
timeout 1
8⤵
- Delays execution with timeout.exe
PID:1676

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
7⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 928
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
4a74e626596d6e66b4bbc59ee6848f2d

SHA1
047849ac8735ecc0943428c7cd5e00b52eee06ed

SHA256
98bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e

SHA512
1cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403

Download Submit
C:\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
C:\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
C:\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
\Users\Admin\AppData\Roaming\DJK.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
\Users\Admin\AppData\Roaming\win.exe
MD5
56626bf21f8de8d051d744973cb2566c

SHA1
af13b7b6844342fd2b2784bb01df9a780be5acbe

SHA256
495e8980ae0b6b1c68d472e9ef3cdb5eb888f8d0be94309acaa35b20536ee859

SHA512
694b761b600301fbd0d87e725903686461dc008c9372776ab01600456581ffb18f875ce84037afca2dff244830b9a72f6a562e6e463d7001794b5daf941f4925

Download Submit
memory/316-100-0x0000000000000000-mapping.dmp

Download
memory/564-97-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/564-84-0x0000000000000000-mapping.dmp

Download
memory/684-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/684-61-0x00000000711F1000-0x00000000711F3000-memory.dmp

Filesize
8KB

Download
memory/684-60-0x000000002FE01000-0x000000002FE04000-memory.dmp

Filesize
12KB

Download
memory/852-63-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1104-74-0x0000000000000000-mapping.dmp

Download
memory/1320-107-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1320-104-0x0000000000413FA4-mapping.dmp

Download
memory/1324-75-0x0000000000000000-mapping.dmp

Download
memory/1476-69-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/1476-68-0x0000000000000000-mapping.dmp

Download
memory/1492-89-0x0000000000000000-mapping.dmp

Download
memory/1516-73-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/1516-72-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/1516-70-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1516-65-0x0000000000000000-mapping.dmp

Download
memory/1524-92-0x0000000000000000-mapping.dmp

Download
memory/1524-99-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1524-94-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1580-81-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1580-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1580-77-0x0000000000413FA4-mapping.dmp

Download
memory/1604-80-0x0000000000000000-mapping.dmp

Download
memory/1676-101-0x0000000000000000-mapping.dmp

Download