Malware Analysis Report

2025-03-15 06:25

Sample ID 240126-w35sjsdcdq
Target start.bat
SHA256 35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
Tags
hacked njrat evasion trojan remcos host persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf

Threat Level: Known bad

The file start.bat was found to be: Known bad.

Malicious Activity Summary

hacked njrat evasion trojan remcos host persistence rat

Njrat family

Modifies WinLogon for persistence

Remcos

njRAT/Bladabindi

Modifies Windows Firewall

Adds policy Run key to start application

Loads dropped DLL

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Modifies WinLogon

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 18:27

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 18:27

Reported

2024-01-26 18:30

Platform

win7-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\start.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\start.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\start.exe

"C:\Users\Admin\AppData\Local\Temp\start.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 dead-reviewer.gl.at.ply.gg udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp

Files

memory/1716-0-0x0000000074F90000-0x000000007553B000-memory.dmp

memory/1716-1-0x0000000074F90000-0x000000007553B000-memory.dmp

memory/1716-2-0x0000000000190000-0x00000000001D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 937286297fbc003e6a69fdc0f02ce8b0
SHA1 2ebd595bbb357264649f17f8b066941f05befefb
SHA256 35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
SHA512 9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4

memory/2700-15-0x0000000074F90000-0x000000007553B000-memory.dmp

memory/2700-16-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/1716-14-0x0000000074F90000-0x000000007553B000-memory.dmp

memory/2700-17-0x0000000074F90000-0x000000007553B000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 5014379cf5fa31db8a73d68d6353a145
SHA1 2a1a5138e8c9e7547caae1c9fb223afbf714ed00
SHA256 538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8
SHA512 5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

memory/2700-55-0x0000000074F90000-0x000000007553B000-memory.dmp

memory/2700-56-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/2700-57-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/2700-58-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/2700-59-0x00000000004E0000-0x0000000000520000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 18:27

Reported

2024-01-26 18:30

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\start.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe N/A

Remcos

rat remcos

njRAT/Bladabindi

trojan njrat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\start.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Dlscord = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 804 set thread context of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\start.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4576 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\start.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4576 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\start.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2756 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2756 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2756 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2756 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe
PID 2756 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe
PID 3940 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
PID 3940 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
PID 3940 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe
PID 3940 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe C:\Users\Admin\AppData\Local\Temp\Sczbl.bat
PID 3940 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe C:\Users\Admin\AppData\Local\Temp\Sczbl.bat
PID 3940 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe C:\Users\Admin\AppData\Local\Temp\Sczbl.bat
PID 3896 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 908 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 908 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 908 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 908 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 908 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 804 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\start.exe

"C:\Users\Admin\AppData\Local\Temp\start.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe"

C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe

"C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe"

C:\Users\Admin\AppData\Local\Temp\Sczbl.bat

"C:\Users\Admin\AppData\Local\Temp\Sczbl.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 dead-reviewer.gl.at.ply.gg udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 147.185.221.17:60161 dead-reviewer.gl.at.ply.gg tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/4576-0-0x0000000074830000-0x0000000074DE1000-memory.dmp

memory/4576-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

memory/4576-2-0x00000000012D0000-0x00000000012E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 937286297fbc003e6a69fdc0f02ce8b0
SHA1 2ebd595bbb357264649f17f8b066941f05befefb
SHA256 35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
SHA512 9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4

memory/2756-12-0x0000000074830000-0x0000000074DE1000-memory.dmp

memory/2756-14-0x00000000017C0000-0x00000000017D0000-memory.dmp

memory/2756-16-0x0000000074830000-0x0000000074DE1000-memory.dmp

memory/4576-15-0x0000000074830000-0x0000000074DE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 5014379cf5fa31db8a73d68d6353a145
SHA1 2a1a5138e8c9e7547caae1c9fb223afbf714ed00
SHA256 538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8
SHA512 5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

memory/2756-54-0x00000000017C0000-0x00000000017D0000-memory.dmp

memory/2756-55-0x00000000017C0000-0x00000000017D0000-memory.dmp

memory/2756-56-0x0000000074830000-0x0000000074DE1000-memory.dmp

memory/2756-57-0x00000000017C0000-0x00000000017D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7598.tmp.exe

MD5 81933ce5ca9beb8efb6c431bc6505361
SHA1 7f88cc2b8e40a2f485f9062fc8bba4ac2793c20a
SHA256 ae4803897d99ebbce5ef7bb65155c70aa8496188c769f9b5829aee8d62ec8d82
SHA512 debad62cb7928bafc1aebf84933fe64afe7dfea06ef01588509ec7b4283a4a07eed584f40e28e40c626295c3b357b469397a664e65b90cf04d530531daddd4a8

memory/3940-69-0x0000000000230000-0x000000000025A000-memory.dmp

memory/3940-71-0x000000001B0C0000-0x000000001B0D0000-memory.dmp

memory/3940-70-0x00007FFC6D7F0000-0x00007FFC6E2B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gebrrr.exe

MD5 f5b9830d4d8d3e46ac5cf7c0203cecf7
SHA1 0fee86b7327672435801d5da3c453326398fb1c9
SHA256 9b9b86d55832e34a68a293d5ec6deb8a8835d45410e28969cb60856351c834b6
SHA512 e343de8d73437acdce8eb1f5149e4e6cb1e700eaad51f7ef219b6bb4117b1b8aacf7f6290c9dd4b41c18103ee29ee65b010af1a53f5db73b66ca911c760462aa

C:\Users\Admin\AppData\Local\Temp\Sczbl.bat

MD5 a2678bbd0eace916ffeb692085da3ce3
SHA1 4962672978e14a77eddc7992296faa88f68cfc0e
SHA256 0d1e495ca174082e5f51835d1fab22a9a664e83dd06cbd6670617cbb1c30a456
SHA512 8f773d8bf5389953d886074f9da65e7114479d05e63f1f60da66db89381e06d5c9e8780d03131d89ffe01c1be5daf5c020fa201ded7048d70c15f9261752d861

memory/1172-89-0x0000000074830000-0x0000000074DE1000-memory.dmp

memory/1172-90-0x0000000000D20000-0x0000000000D30000-memory.dmp

memory/1172-92-0x0000000074830000-0x0000000074DE1000-memory.dmp

memory/3940-93-0x00007FFC6D7F0000-0x00007FFC6E2B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 76c1687d97dfdbcea62ef1490bec5001
SHA1 5f4d1aeafa7d840cde67b76f97416dd68efd1bed
SHA256 79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4
SHA512 da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

memory/1172-99-0x0000000074830000-0x0000000074DE1000-memory.dmp

memory/3496-103-0x0000000000400000-0x0000000000417000-memory.dmp