remcos | 28ea23168f0631c5c39cb104a4bc37b521df2dcf03789b5aaba23eebf322ec56

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN_CAD-SPECIFICATION-11221001080.exe
Size

2.1MB
MD5

687af17193137f3da6ad493b3d677cbe
SHA1

cc35986e6eafa161506678a5f2d485ab1850cf6c
SHA256

28ea23168f0631c5c39cb104a4bc37b521df2dcf03789b5aaba23eebf322ec56
SHA512

e83047da80a39252e71fca47ed924af0be8b19cbd83dd374c869f882e2872326ea92a446dc77cebadeec6ba639dbcedd81c023ef4e1c24916a45610a1c0069e6
SSDEEP

49152:9m6JDKZNchBNQf1atM5eDsI+JT9/4Czs7pBiEigGo9jzTQp:9NJgcV+R9/4CzY7iX7o9jzTQ

Score

10^/10

remcos warzonerat iyke peterobi2023 infostealer persistence rat

Malware Config

Extracted

Family

remcos

Botnet

PeterObi2023

76.8.53.133:1198

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sdfge.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
fghoiuytr.dat
keylog_flag
false
mouse_option
false
mutex
fghjcvbn-UURPOS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
dfghrtyu
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

IYKE

76.8.53.133:1198

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
explorer.exe
copy_folder
machines
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
12345MEEE
mouse_option
false
mutex
12345MEEE-NS9UK1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
explorer
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

warzonerat

76.8.53.133:1198

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe	warzonerat

Executes dropped EXE 5 IoCs

Processes:

My Nigga.exeiyke remcos.exewarzone rawfile new.exeexplorer.exeexplorer.exe

pid process

4348 My Nigga.exe
4172 iyke remcos.exe
1028 warzone rawfile new.exe
1600 explorer.exe
4972 explorer.exe

pid	process
4348	My Nigga.exe
4172	iyke remcos.exe
1028	warzone rawfile new.exe
1600	explorer.exe
4972	explorer.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iyke remcos.exeMy Nigga.exeWScript.exeWScript.exeSCAN_CAD-SPECIFICATION-11221001080.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	iyke remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	My Nigga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SCAN_CAD-SPECIFICATION-11221001080.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeMy Nigga.exeiyke remcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\machines\\explorer.exe\""	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	My Nigga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\""	My Nigga.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	iyke remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\machines\\explorer.exe\""	iyke remcos.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SCAN_CAD-SPECIFICATION-11221001080.exe

description	pid	process	target process
PID 1964 set thread context of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

iyke remcos.exeMy Nigga.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	iyke remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	My Nigga.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SCAN_CAD-SPECIFICATION-11221001080.exepowershell.exe

pid	process
1964	SCAN_CAD-SPECIFICATION-11221001080.exe
1964	SCAN_CAD-SPECIFICATION-11221001080.exe
1964	SCAN_CAD-SPECIFICATION-11221001080.exe
1964	SCAN_CAD-SPECIFICATION-11221001080.exe
1264	powershell.exe
1264	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SCAN_CAD-SPECIFICATION-11221001080.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1964 SCAN_CAD-SPECIFICATION-11221001080.exe
Token: SeDebugPrivilege 1264 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1600 explorer.exe

description	pid	process
Token: SeDebugPrivilege	1964	SCAN_CAD-SPECIFICATION-11221001080.exe
Token: SeDebugPrivilege	1264	powershell.exe

pid	process
1600	explorer.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

SCAN_CAD-SPECIFICATION-11221001080.exeSCAN_CAD-SPECIFICATION-11221001080.exeiyke remcos.exeMy Nigga.exeWScript.exeWScript.exewarzone rawfile new.execmd.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 4132	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 4132	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 4132	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 4540	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 4540	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 4540	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 1964 wrote to memory of 388	1964	SCAN_CAD-SPECIFICATION-11221001080.exe	SCAN_CAD-SPECIFICATION-11221001080.exe
PID 388 wrote to memory of 4348	388	SCAN_CAD-SPECIFICATION-11221001080.exe	My Nigga.exe
PID 388 wrote to memory of 4348	388	SCAN_CAD-SPECIFICATION-11221001080.exe	My Nigga.exe
PID 388 wrote to memory of 4348	388	SCAN_CAD-SPECIFICATION-11221001080.exe	My Nigga.exe
PID 388 wrote to memory of 4172	388	SCAN_CAD-SPECIFICATION-11221001080.exe	iyke remcos.exe
PID 388 wrote to memory of 4172	388	SCAN_CAD-SPECIFICATION-11221001080.exe	iyke remcos.exe
PID 388 wrote to memory of 4172	388	SCAN_CAD-SPECIFICATION-11221001080.exe	iyke remcos.exe
PID 388 wrote to memory of 1028	388	SCAN_CAD-SPECIFICATION-11221001080.exe	warzone rawfile new.exe
PID 388 wrote to memory of 1028	388	SCAN_CAD-SPECIFICATION-11221001080.exe	warzone rawfile new.exe
PID 388 wrote to memory of 1028	388	SCAN_CAD-SPECIFICATION-11221001080.exe	warzone rawfile new.exe
PID 4172 wrote to memory of 3756	4172	iyke remcos.exe	WScript.exe
PID 4172 wrote to memory of 3756	4172	iyke remcos.exe	WScript.exe
PID 4172 wrote to memory of 3756	4172	iyke remcos.exe	WScript.exe
PID 4348 wrote to memory of 3952	4348	My Nigga.exe	WScript.exe
PID 4348 wrote to memory of 3952	4348	My Nigga.exe	WScript.exe
PID 4348 wrote to memory of 3952	4348	My Nigga.exe	WScript.exe
PID 3952 wrote to memory of 1228	3952	WScript.exe	cmd.exe
PID 3952 wrote to memory of 1228	3952	WScript.exe	cmd.exe
PID 3952 wrote to memory of 1228	3952	WScript.exe	cmd.exe
PID 3756 wrote to memory of 1120	3756	WScript.exe	cmd.exe
PID 3756 wrote to memory of 1120	3756	WScript.exe	cmd.exe
PID 3756 wrote to memory of 1120	3756	WScript.exe	cmd.exe
PID 1028 wrote to memory of 1264	1028	warzone rawfile new.exe	powershell.exe
PID 1028 wrote to memory of 1264	1028	warzone rawfile new.exe	powershell.exe
PID 1028 wrote to memory of 1264	1028	warzone rawfile new.exe	powershell.exe
PID 1028 wrote to memory of 4344	1028	warzone rawfile new.exe	cmd.exe
PID 1028 wrote to memory of 4344	1028	warzone rawfile new.exe	cmd.exe
PID 1028 wrote to memory of 4344	1028	warzone rawfile new.exe	cmd.exe
PID 1120 wrote to memory of 1600	1120	cmd.exe	explorer.exe
PID 1120 wrote to memory of 1600	1120	cmd.exe	explorer.exe
PID 1120 wrote to memory of 1600	1120	cmd.exe	explorer.exe
PID 1228 wrote to memory of 4972	1228	cmd.exe	explorer.exe
PID 1228 wrote to memory of 4972	1228	cmd.exe	explorer.exe
PID 1228 wrote to memory of 4972	1228	cmd.exe	explorer.exe
PID 1028 wrote to memory of 4344	1028	warzone rawfile new.exe	cmd.exe
PID 1028 wrote to memory of 4344	1028	warzone rawfile new.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"
2⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"
2⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_CAD-SPECIFICATION-11221001080.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\My Nigga.exe
"C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\machines\explorer.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\ProgramData\machines\explorer.exe
C:\ProgramData\machines\explorer.exe
6⤵
- Executes dropped EXE
PID:4972

C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe
"C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\machines\explorer.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\ProgramData\machines\explorer.exe
C:\ProgramData\machines\explorer.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe
"C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:4344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\ProgramData\machines\explorer.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SCAN_CAD-SPECIFICATION-11221001080.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\My Nigga.exe
Filesize
469KB

MD5
82602aed5a4328fd0f432ac95f05a500

SHA1
83c7d33c0d034ec89953986d191fe82e5f5ba297

SHA256
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791

SHA512
afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\My Nigga.exe
Filesize
469KB

MD5
82602aed5a4328fd0f432ac95f05a500

SHA1
83c7d33c0d034ec89953986d191fe82e5f5ba297

SHA256
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791

SHA512
afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
394B

MD5
06c791067d2932c95dd3677d2384841e

SHA1
715003b9d13baa70e501982796d367792c1addfa

SHA256
cf55c64c0a026c2a15389e088a337f98da369179508380519c1d7f69dc603f49

SHA512
20a67da827a020cc6da8985cd1b1c0ec8847dd639c4c2a83f3e8af48dddaff58f5a05e8a3dba5e9911400d5f6e9d59b93361838f56455fd3b2fafe489e1a76ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
394B

MD5
06c791067d2932c95dd3677d2384841e

SHA1
715003b9d13baa70e501982796d367792c1addfa

SHA256
cf55c64c0a026c2a15389e088a337f98da369179508380519c1d7f69dc603f49

SHA512
20a67da827a020cc6da8985cd1b1c0ec8847dd639c4c2a83f3e8af48dddaff58f5a05e8a3dba5e9911400d5f6e9d59b93361838f56455fd3b2fafe489e1a76ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyke remcos.exe
Filesize
469KB

MD5
cfe7124b0cc081e0b02426f430064a80

SHA1
58069d9f9d74c392275849e9084c5a8980d774d3

SHA256
1e11e39458dd9affead376ffafa64fc639fb8fee45788f3c922c38923546e5e8

SHA512
5eb031420328f9f077acdf60cf0579051ae7d95b77d9aaf572010c1051710c678d45e50a760fc8eaf1acab06449e1f07c2e92693ae45d669ed94f11a8d1e8bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe
Filesize
113KB

MD5
7aa7c2c90371cf809dac01092c13d63e

SHA1
5a41e80d24d965f039fca837ecdd6322ca673d4e

SHA256
ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602

SHA512
dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f

Download Submit
C:\Users\Admin\AppData\Local\Temp\warzone rawfile new.exe
Filesize
113KB

MD5
7aa7c2c90371cf809dac01092c13d63e

SHA1
5a41e80d24d965f039fca837ecdd6322ca673d4e

SHA256
ff3f9f08d7956fb6699d0d58f7f02aef326a981a6433b3fa89bb550a90495602

SHA512
dbb068e8d2ad9ec64845d43fe993c0f0978b93a3aae616392993e17ec48add26b3521a69003cefd8c71586cf35220b61f52f75cfa5835331d85ffea4018b185f

Download Submit
memory/388-140-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/388-139-0x0000000000000000-mapping.dmp

Download
memory/1028-149-0x0000000000000000-mapping.dmp

Download
memory/1120-156-0x0000000000000000-mapping.dmp

Download
memory/1228-155-0x0000000000000000-mapping.dmp

Download
memory/1264-165-0x0000000005090000-0x00000000056B8000-memory.dmp

Filesize
6.2MB

Download
memory/1264-178-0x0000000007450000-0x000000000745E000-memory.dmp

Filesize
56KB

Download
memory/1264-179-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/1264-164-0x00000000048F0000-0x0000000004926000-memory.dmp

Filesize
216KB

Download
memory/1264-177-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/1264-176-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/1264-175-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/1264-174-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/1264-157-0x0000000000000000-mapping.dmp

Download
memory/1264-173-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/1264-172-0x0000000071080000-0x00000000710CC000-memory.dmp

Filesize
304KB

Download
memory/1264-171-0x0000000006440000-0x0000000006472000-memory.dmp

Filesize
200KB

Download
memory/1264-170-0x0000000005E90000-0x0000000005EAE000-memory.dmp

Filesize
120KB

Download
memory/1264-168-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/1264-180-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/1264-167-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/1264-166-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

Filesize
136KB

Download
memory/1600-159-0x0000000000000000-mapping.dmp

Download
memory/1964-133-0x00000000050F0000-0x0000000005694000-memory.dmp

Filesize
5.6MB

Download
memory/1964-134-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/1964-136-0x0000000008E40000-0x0000000008EDC000-memory.dmp

Filesize
624KB

Download
memory/1964-135-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/1964-132-0x0000000000030000-0x0000000000248000-memory.dmp

Filesize
2.1MB

Download
memory/3756-153-0x0000000000000000-mapping.dmp

Download
memory/3952-154-0x0000000000000000-mapping.dmp

Download
memory/4132-137-0x0000000000000000-mapping.dmp

Download
memory/4172-145-0x0000000000000000-mapping.dmp

Download
memory/4344-169-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/4344-158-0x0000000000000000-mapping.dmp

Download
memory/4348-142-0x0000000000000000-mapping.dmp

Download
memory/4540-138-0x0000000000000000-mapping.dmp

Download
memory/4972-162-0x0000000000000000-mapping.dmp

Download