remcos | 28ea23168f0631c5c39cb104a4bc37b521df2dcf03789b5aaba23eebf322ec56

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN_CAD-SPECIFICATION-11221001080.exe
Size

2.1MB
MD5

687af17193137f3da6ad493b3d677cbe
SHA1

cc35986e6eafa161506678a5f2d485ab1850cf6c
SHA256

28ea23168f0631c5c39cb104a4bc37b521df2dcf03789b5aaba23eebf322ec56
SHA512

e83047da80a39252e71fca47ed924af0be8b19cbd83dd374c869f882e2872326ea92a446dc77cebadeec6ba639dbcedd81c023ef4e1c24916a45610a1c0069e6
SSDEEP

49152:9m6JDKZNchBNQf1atM5eDsI+JT9/4Czs7pBiEigGo9jzTQp:9NJgcV+R9/4CzY7iX7o9jzTQ

Score

10^/10

remcos warzonerat iyke peterobi2023 infostealer persistence rat

Malware Config

Extracted

Family

remcos

Botnet

PeterObi2023

76.8.53.133:1198

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sdfge.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
fghoiuytr.dat
keylog_flag
false
mouse_option
false
mutex
fghjcvbn-UURPOS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
dfghrtyu
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

IYKE

76.8.53.133:1198

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
copy_folder
machines
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
12345MEEE
mouse_option
false
mutex
12345MEEE-NS9UK1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
explorer
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

warzonerat

76.8.53.133:1198

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe	warzonerat
\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe	warzonerat

Executes dropped EXE 5 IoCs

Processes:

My Nigga.exeiyke remcos.exewarzone rawfile new.exeexplorer.exeexplorer.exe

pid process

1148 My Nigga.exe
2032 iyke remcos.exe
1724 warzone rawfile new.exe
1740 explorer.exe
428 explorer.exe

pid	process
1148	My Nigga.exe
2032	iyke remcos.exe
1724	warzone rawfile new.exe
1740	explorer.exe
428	explorer.exe

Loads dropped DLL 10 IoCs

Processes:

SCAN_CAD-SPECIFICATION-11221001080.execmd.execmd.exe

pid	process
520	SCAN_CAD-SPECIFICATION-11221001080.exe
520	SCAN_CAD-SPECIFICATION-11221001080.exe
520	SCAN_CAD-SPECIFICATION-11221001080.exe
520	SCAN_CAD-SPECIFICATION-11221001080.exe
520	SCAN_CAD-SPECIFICATION-11221001080.exe
520	SCAN_CAD-SPECIFICATION-11221001080.exe
1568	cmd.exe
1644	cmd.exe
1568	cmd.exe
1644	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

My Nigga.exeiyke remcos.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\""	My Nigga.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	iyke remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\machines\\explorer.exe\""	iyke remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\machines\\explorer.exe\""	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	My Nigga.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SCAN_CAD-SPECIFICATION-11221001080.exe

description	pid	process	target process
PID 2016 set thread context of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

832 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 832 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1740 explorer.exe

pid	process
832	powershell.exe

description	pid	process
Token: SeDebugPrivilege	832	powershell.exe

pid	process
1740	explorer.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

SCAN_CAD-SPECIFICATION-11221001080.exeSCAN_CAD-SPECIFICATION-11221001080.exeMy Nigga.exeiyke remcos.exeWScript.exeWScript.execmd.execmd.exewarzone rawfile new.exe

description	pid	process	target process
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 2016 wrote to memory of 520	2016	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 520 wrote to memory of 1148	520	SCAN_CAD-SPECIFICATION-11221001080.exe	My Nigga.exe
PID 520 wrote to memory of 1148	520	SCAN_CAD-SPECIFICATION-11221001080.exe	My Nigga.exe
PID 520 wrote to memory of 1148	520	SCAN_CAD-SPECIFICATION-11221001080.exe	My Nigga.exe
PID 520 wrote to memory of 1148	520	SCAN_CAD-SPECIFICATION-11221001080.exe	My Nigga.exe
PID 520 wrote to memory of 2032	520	SCAN_CAD-SPECIFICATION-11221001080.exe	iyke remcos.exe
PID 520 wrote to memory of 2032	520	SCAN_CAD-SPECIFICATION-11221001080.exe	iyke remcos.exe
PID 520 wrote to memory of 2032	520	SCAN_CAD-SPECIFICATION-11221001080.exe	iyke remcos.exe
PID 520 wrote to memory of 2032	520	SCAN_CAD-SPECIFICATION-11221001080.exe	iyke remcos.exe
PID 520 wrote to memory of 1724	520	SCAN_CAD-SPECIFICATION-11221001080.exe	warzone rawfile new.exe
PID 520 wrote to memory of 1724	520	SCAN_CAD-SPECIFICATION-11221001080.exe	warzone rawfile new.exe
PID 520 wrote to memory of 1724	520	SCAN_CAD-SPECIFICATION-11221001080.exe	warzone rawfile new.exe
PID 520 wrote to memory of 1724	520	SCAN_CAD-SPECIFICATION-11221001080.exe	warzone rawfile new.exe
PID 1148 wrote to memory of 1620	1148	My Nigga.exe	WScript.exe
PID 1148 wrote to memory of 1620	1148	My Nigga.exe	WScript.exe
PID 1148 wrote to memory of 1620	1148	My Nigga.exe	WScript.exe
PID 1148 wrote to memory of 1620	1148	My Nigga.exe	WScript.exe
PID 2032 wrote to memory of 1952	2032	iyke remcos.exe	WScript.exe
PID 2032 wrote to memory of 1952	2032	iyke remcos.exe	WScript.exe
PID 2032 wrote to memory of 1952	2032	iyke remcos.exe	WScript.exe
PID 2032 wrote to memory of 1952	2032	iyke remcos.exe	WScript.exe
PID 1952 wrote to memory of 1568	1952	WScript.exe	cmd.exe
PID 1952 wrote to memory of 1568	1952	WScript.exe	cmd.exe
PID 1952 wrote to memory of 1568	1952	WScript.exe	cmd.exe
PID 1952 wrote to memory of 1568	1952	WScript.exe	cmd.exe
PID 1620 wrote to memory of 1644	1620	WScript.exe	cmd.exe
PID 1620 wrote to memory of 1644	1620	WScript.exe	cmd.exe
PID 1620 wrote to memory of 1644	1620	WScript.exe	cmd.exe
PID 1620 wrote to memory of 1644	1620	WScript.exe	cmd.exe
PID 1568 wrote to memory of 1740	1568	cmd.exe	explorer.exe
PID 1568 wrote to memory of 1740	1568	cmd.exe	explorer.exe
PID 1568 wrote to memory of 1740	1568	cmd.exe	explorer.exe
PID 1568 wrote to memory of 1740	1568	cmd.exe	explorer.exe
PID 1644 wrote to memory of 428	1644	cmd.exe	explorer.exe
PID 1644 wrote to memory of 428	1644	cmd.exe	explorer.exe
PID 1644 wrote to memory of 428	1644	cmd.exe	explorer.exe
PID 1644 wrote to memory of 428	1644	cmd.exe	explorer.exe
PID 1724 wrote to memory of 832	1724	warzone rawfile new.exe	powershell.exe
PID 1724 wrote to memory of 832	1724	warzone rawfile new.exe	powershell.exe
PID 1724 wrote to memory of 832	1724	warzone rawfile new.exe	powershell.exe
PID 1724 wrote to memory of 832	1724	warzone rawfile new.exe	powershell.exe
PID 1724 wrote to memory of 1780	1724	warzone rawfile new.exe	cmd.exe
PID 1724 wrote to memory of 1780	1724	warzone rawfile new.exe	cmd.exe
PID 1724 wrote to memory of 1780	1724	warzone rawfile new.exe	cmd.exe
PID 1724 wrote to memory of 1780	1724	warzone rawfile new.exe	cmd.exe
PID 1724 wrote to memory of 1780	1724	warzone rawfile new.exe	cmd.exe
PID 1724 wrote to memory of 1780	1724	warzone rawfile new.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\My Nigga.exe
"C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\machines\explorer.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\ProgramData\machines\explorer.exe
C:\ProgramData\machines\explorer.exe
6⤵
- Executes dropped EXE
PID:428

C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe
"C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\machines\explorer.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568

C:\ProgramData\machines\explorer.exe
C:\ProgramData\machines\explorer.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe
"C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\My Nigga.exe
Filesize
469KB

MD5
82602aed5a4328fd0f432ac95f05a500

SHA1
83c7d33c0d034ec89953986d191fe82e5f5ba297

SHA256
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791

SHA512
afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\My Nigga.exe
Filesize
469KB

MD5
82602aed5a4328fd0f432ac95f05a500

SHA1
83c7d33c0d034ec89953986d191fe82e5f5ba297

SHA256
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791

SHA512
afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
394B

MD5
06c791067d2932c95dd3677d2384841e

SHA1
715003b9d13baa70e501982796d367792c1addfa

SHA256
cf55c64c0a026c2a15389e088a337f98da369179508380519c1d7f69dc603f49

SHA512
20a67da827a020cc6da8985cd1b1c0ec8847dd639c4c2a83f3e8af48dddaff58f5a05e8a3dba5e9911400d5f6e9d59b93361838f56455fd3b2fafe489e1a76ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
394B

MD5
06c791067d2932c95dd3677d2384841e

SHA1
715003b9d13baa70e501982796d367792c1addfa

SHA256
cf55c64c0a026c2a15389e088a337f98da369179508380519c1d7f69dc603f49

SHA512
20a67da827a020cc6da8985cd1b1c0ec8847dd639c4c2a83f3e8af48dddaff58f5a05e8a3dba5e9911400d5f6e9d59b93361838f56455fd3b2fafe489e1a76ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe
Filesize
113KB

MD5
7aa7c2c90371cf809dac01092c13d63e

SHA1
5a41e80d24d965f039fca837ecdd6322ca673d4e

SHA256
ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602

SHA512
dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f

Download Submit
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe
Filesize
113KB

MD5
7aa7c2c90371cf809dac01092c13d63e

SHA1
5a41e80d24d965f039fca837ecdd6322ca673d4e

SHA256
ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602

SHA512
dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f

Download Submit
\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
\Users\Admin\AppData\Local\Temp\My Nigga.exe
Filesize
469KB

MD5
82602aed5a4328fd0f432ac95f05a500

SHA1
83c7d33c0d034ec89953986d191fe82e5f5ba297

SHA256
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791

SHA512
afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9

Download Submit
\Users\Admin\AppData\Local\Temp\My Nigga.exe
Filesize
469KB

MD5
82602aed5a4328fd0f432ac95f05a500

SHA1
83c7d33c0d034ec89953986d191fe82e5f5ba297

SHA256
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791

SHA512
afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9

Download Submit
\Users\Admin\AppData\Local\Temp\iyke remcos.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
\Users\Admin\AppData\Local\Temp\iyke remcos.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe
Filesize
113KB

MD5
7aa7c2c90371cf809dac01092c13d63e

SHA1
5a41e80d24d965f039fca837ecdd6322ca673d4e

SHA256
ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602

SHA512
dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f

Download Submit
\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe
Filesize
113KB

MD5
7aa7c2c90371cf809dac01092c13d63e

SHA1
5a41e80d24d965f039fca837ecdd6322ca673d4e

SHA256
ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602

SHA512
dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f

Download Submit
memory/428-103-0x0000000000000000-mapping.dmp

Download
memory/520-68-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/520-63-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/520-60-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/520-61-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/520-64-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/520-70-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/520-66-0x0000000000561FBE-mapping.dmp

Download
memory/520-65-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/832-114-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/832-112-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/832-109-0x0000000000000000-mapping.dmp

Download
memory/1148-74-0x0000000000000000-mapping.dmp

Download
memory/1568-95-0x0000000000000000-mapping.dmp

Download
memory/1620-88-0x0000000000000000-mapping.dmp

Download
memory/1644-96-0x0000000000000000-mapping.dmp

Download
memory/1724-85-0x0000000000000000-mapping.dmp

Download
memory/1740-101-0x0000000000000000-mapping.dmp

Download
memory/1780-110-0x0000000000000000-mapping.dmp

Download
memory/1780-113-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1952-91-0x0000000000000000-mapping.dmp

Download
memory/2016-59-0x0000000009A40000-0x0000000009BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2016-58-0x0000000008690000-0x0000000008842000-memory.dmp

Filesize
1.7MB

Download
memory/2016-57-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2016-56-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/2016-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/2016-54-0x0000000001260000-0x0000000001478000-memory.dmp

Filesize
2.1MB

Download
memory/2032-80-0x0000000000000000-mapping.dmp

Download