remcos | 338c23abbf9f4d792d9bac20f519c89fafc6d340dbfd7afea56ebb5ea8f449b5

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll
Size

150.0MB
MD5

3ceefa7bd30b2b5494c2cdb64342835c
SHA1

ef4cad7600788cc696cec53480dcfb67a5143adb
SHA256

e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233
SHA512

a3f88fae400037427d3068d583317c08132ff936c21c3fa38a97afedb9b614302228903973ed3aa8b41fb266f5e1aa3c7550ce4b4653ea9d4b1c06a0c350880f
SSDEEP

786432:7UP7GCGO7b0Srkx/tC0SzIdSwh/WxbpNHQD3trzRp:7UP7GCG64Srkx1hSzYsHQD3t/R

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ogbatobanana.duckdns.org:4047

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0R92B3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exeWScript.exe

flow pid process

37 3036 WScript.exe
39 3036 WScript.exe
41 3036 WScript.exe
51 3188 WScript.exe

flow	pid	process
37	3036	WScript.exe
39	3036	WScript.exe
41	3036	WScript.exe
51	3188	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exeRegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	RegSvcs.exe

Executes dropped EXE 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

pid process

5112 RegSvcs.exe
4720 RegSvcs.exe

pid	process
5112	RegSvcs.exe
4720	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Chrome = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\VIVA_01.dll,EntryPoint"	reg.exe

Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

756 regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	regsvr32.exe

pid	process
756	regsvr32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2272 set thread context of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 set thread context of 4720	2272	powershell.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

regsvr32.exeRegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

936 powershell.exe
936 powershell.exe
2272 powershell.exe
2272 powershell.exe
2272 powershell.exe
2272 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 936 powershell.exe
Token: SeDebugPrivilege 2272 powershell.exe

pid	process
936	powershell.exe
936	powershell.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

regsvr32.exeregsvr32.execmd.exeregsvr32.exeWScript.execmd.exeWScript.execmd.exepowershell.exeRegSvcs.exe

description	pid	process	target process
PID 3792 wrote to memory of 756	3792	regsvr32.exe	regsvr32.exe
PID 3792 wrote to memory of 756	3792	regsvr32.exe	regsvr32.exe
PID 3792 wrote to memory of 756	3792	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 2664	756	regsvr32.exe	cmd.exe
PID 756 wrote to memory of 2664	756	regsvr32.exe	cmd.exe
PID 756 wrote to memory of 2664	756	regsvr32.exe	cmd.exe
PID 756 wrote to memory of 4040	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 4040	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 4040	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 4040	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 4040	756	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 4040	756	regsvr32.exe	regsvr32.exe
PID 2664 wrote to memory of 3408	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 3408	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 3408	2664	cmd.exe	reg.exe
PID 4040 wrote to memory of 3036	4040	regsvr32.exe	WScript.exe
PID 4040 wrote to memory of 3036	4040	regsvr32.exe	WScript.exe
PID 4040 wrote to memory of 3036	4040	regsvr32.exe	WScript.exe
PID 4040 wrote to memory of 3188	4040	regsvr32.exe	WScript.exe
PID 4040 wrote to memory of 3188	4040	regsvr32.exe	WScript.exe
PID 4040 wrote to memory of 3188	4040	regsvr32.exe	WScript.exe
PID 3036 wrote to memory of 1992	3036	WScript.exe	cmd.exe
PID 3036 wrote to memory of 1992	3036	WScript.exe	cmd.exe
PID 3036 wrote to memory of 1992	3036	WScript.exe	cmd.exe
PID 1992 wrote to memory of 936	1992	cmd.exe	powershell.exe
PID 1992 wrote to memory of 936	1992	cmd.exe	powershell.exe
PID 1992 wrote to memory of 936	1992	cmd.exe	powershell.exe
PID 3188 wrote to memory of 5048	3188	WScript.exe	cmd.exe
PID 3188 wrote to memory of 5048	3188	WScript.exe	cmd.exe
PID 3188 wrote to memory of 5048	3188	WScript.exe	cmd.exe
PID 5048 wrote to memory of 2272	5048	cmd.exe	powershell.exe
PID 5048 wrote to memory of 2272	5048	cmd.exe	powershell.exe
PID 5048 wrote to memory of 2272	5048	cmd.exe	powershell.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 5112	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 2272 wrote to memory of 4720	2272	powershell.exe	RegSvcs.exe
PID 4040 wrote to memory of 1076	4040	regsvr32.exe	WScript.exe
PID 4040 wrote to memory of 1076	4040	regsvr32.exe	WScript.exe
PID 4040 wrote to memory of 1076	4040	regsvr32.exe	WScript.exe
PID 5112 wrote to memory of 3344	5112	RegSvcs.exe	WScript.exe
PID 5112 wrote to memory of 3344	5112	RegSvcs.exe	WScript.exe
PID 5112 wrote to memory of 3344	5112	RegSvcs.exe	WScript.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233.dll
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\VIVA_01.dll",EntryPoint /f
4⤵
- Adds Run key to start application
PID:3408

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe"
3⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"
4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\XWWTS.cmd" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\MNUZY.ps1
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"
4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\JDXGA.cmd" "
5⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\MOAZS.ps1
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\iilww.vbs"
8⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
7⤵
- Executes dropped EXE
PID:4720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uzjvjwpomgqleldypuhcq.vbs"
4⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFF36071456820AC60FD568DDF18F256

Filesize
503B

MD5
5d3fff1b9b0b50c2d1b978b5e26fe28d

SHA1
8c382cb42267ee979a412bc0a950e67b91822fc3

SHA256
02a302fb8ae7cdd340de1726f1e89bd67b012dc311e7f1e555be28bdae3f3ca7

SHA512
3848ba48b10eeee832fe18d3d8a5645ccbf0ce294e05fbcdacae19285a12524d1c246fbce6507345a987f5998ab6361169aa4f0977afbc5c57249c9a350f101c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
691526770e90e29ed992baff601093c2

SHA1
73ddb5ca0d2ef2147a254737c59c5eaf8a3453cd

SHA256
2d5a065d012cba33cf480445063fbafbd0e21da48f0f7f745974f21a0312d662

SHA512
db5957dc2b863613505be8a67a307d8ac4e1b79410e1390def4f96bc2af9b191cabcddbd0e608f86a76cb4e963a1483681fcb9c5331a9d73c1c9a015e96208f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFF36071456820AC60FD568DDF18F256

Filesize
552B

MD5
a3b4e53f08bf25ff61d5c01f367f78c3

SHA1
e92970d6f3c3252f6359d15aabaa9aa6c31db0f4

SHA256
6b844f8c95f0ba2180558d5ef59b53c4590fa398f9368f3c9225f71d2ac9492b

SHA512
689c3c9ac6b1feeae6412c1a46f3b6a8e52353c7eb65e5ae679322cd61ca2c8370c55a6b4aba6cb2714896f2eb3d66281bfa3114ffc36638408c43ad30d8dbcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6681dde54f627893513e4d79bd92c16c

SHA1
87e4c3189440a0576f90a5710894ad0590143a8d

SHA256
eac4af70d9b3ee49dfe2fa532826a93d976f9d9bc1827f52b5d7749b490b6720

SHA512
57884a982e9dcf38fdbf8da3e0a94fc13868a3fef2469d8b07544e8e95678f5f44a15bd51c69fa898e97bd60e0b3ec71515925fe1f2ee9f28b08ce44e8034298

Download Submit
C:\Users\Admin\AppData\Local\Temp\Memory.vbs

Filesize
6.1MB

MD5
f2423557341720ee37a3ca4160ab350d

SHA1
dff2f296535fa069dd29ad0860bb1d3ca61a1e37

SHA256
82c1e03d1965f9efb7597e8999cc8464d471be14657d42362b4d6ffdb257d2d7

SHA512
3a0ec132bcb1239afa7046130eaf86e41a0693dc79d482124df0e93a1312dc4021a43c0a9db6b48ae201e322e9c61a3b0ac6ae791395d398404140cd79d7ed03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Memory.vbs

Filesize
8.4MB

MD5
69e0e19835d62203ac824a0a042f80e9

SHA1
891a847ee52943e9d1eb9ab024a59651dbe74c7b

SHA256
23ecd046f3370b97563b8a0bbb6c93f3792d00446cf54f9836f21b31316a4264

SHA512
a55b07747607e746f8138d509cf823d72e41581ea1a39d0948f5834d87e35edf93eebd1f5db6f50c18a812cb13c8f6232fd9f47d858c3125f82bd885a6079f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_av3lquxf.ebo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iilww.vbs

Filesize
500B

MD5
7c511f6f0add80ad7f9b0b22d50959f0

SHA1
e656bc5752fa864e6c1b86033530f31b9ca9e726

SHA256
39f9ff071536b555e9b7da9e0104cb979f22f5236abe9eca9a5b90718b36da15

SHA512
3ee23b4f523454ef0b88dab5a543e2be704f9e1e37ccde7a8e0b17b1613e4db6235e18adccb3f9d44c1e76faac0c7caabfaf51e76b449a6d785dfb3ef4b9a918

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzjvjwpomgqleldypuhcq.vbs

Filesize
448B

MD5
322928831a8b29ebc06d5bc8edbec60d

SHA1
75b4a66f691a9550423f5acdb0fc46142c05a1fc

SHA256
93d2d9e801aa2189593ed51e168564c69d964dbf71579c2195586a58445b52d8

SHA512
8a6584e36803189d78b20f251771779745774dab3bee0366082b913e2395233dfd7cf83c84e6c5419ed5662045875c16123b075d706d23f3d57a732ce8666ca3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EZZWO.vbs

Filesize
276B

MD5
e7d45c26e15f21e975d223e45b7da4eb

SHA1
8c3a9930d33100cd884f39e8e731db760df63e9d

SHA256
ca21215bc5b694571f93809e6244ef75c69d71649d3598ddfd0aa5e651a9fc71

SHA512
e3cdd9b6904e192d9d1114b5715af1116bddca0e42e34707349fad7f4f3f0f505196ef2cdb1fd0a310727c41154bacee25fd1c0052ab2589289c3a1c617a06d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPLJR.vbs

Filesize
276B

MD5
cf213bfcfbf6fd9aa3a9954929f1fbb1

SHA1
e67bfa49f24f815df08b86a26fba794a6e7109bd

SHA256
c876a1d0b87f4bef0ecbc673b18013a42ad86d1e7e243a917ddf66146dba891c

SHA512
efc04c9539cb35813ef2a6c06ec9834041f034996add5683908dfb977b2ca79cb62eb63641ac462393d550336efc4a9a85493f935e6c984284fc0724176aeb39

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\JDXGA.cmd

Filesize
75B

MD5
bd6857a941997730269e24a8c8cfd1fd

SHA1
5fd0b1db9aa4fbee2cdac89c9411029747017e94

SHA256
dca163e5a20432b2e3f4b0c7e2f117d5a0d0b9b43a4ba54e7577a2f4880695fd

SHA512
678db8d6d7660fc478e48818aff8ec6a04221e78b6a63cccf52622d6fa29b3d1476c7a388ef41c47f4852bfb211e037bbff051a830805141fbd53a656840bc87

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\MNUZY.ps1

Filesize
18B

MD5
26fde7d375d1bd5bb2365e3c9f01a803

SHA1
226f0e4fd419f92ef65464bac9656f3a33c9c754

SHA256
3d9452c2294d672986b03b274fdc8111c38b87efc76163995b7a257d5c6c2ee6

SHA512
499a237f13b0bb1e7880d29c057bee403075039f4592e59c10f95d3e57aaa9e2aa37de61f3f5b706f03438778955bb23d3f847ba116e3784eb3534725c7b3326

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\MOAZS.ps1

Filesize
1.1MB

MD5
5cf2c1666ad003aa8b6cd8a97cd584a0

SHA1
1660e606e6408bca33e935ce190e0a1ebbec631f

SHA256
ec81e2567d6389125069a1b4724d927707ee00f12af4e0f9d8751f379ae9f7c3

SHA512
eb6d44a1c5a8cf06fab45ca0981a8ba13b3e529b424f75656d3b371125d11f39ee386ffa1802e1b0202395fcfd338905cb70ef6af1a1a69ff1afb677b836cc9e

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsServices\XWWTS.cmd

Filesize
75B

MD5
ae51876ebf33b5bc2b49115a5f0ce077

SHA1
77a138eac0ebf7a9ec90fb299570166089038321

SHA256
10fd06231daa6f01e645d0b3ca70b1043c6dbacdcfc2523060adb1880effe2ca

SHA512
d19338c6a5d8851b15f2b9d46e31dbb2e9570a02456c76b01be9c70a376aa2520b25791eaedc48cabdb382bab17fd7200f3eb2c5917f029cefa3cd227192fb4d

Download Submit
memory/756-1-0x0000000010000000-0x0000000012DB3000-memory.dmp

Filesize
45.7MB

Download
memory/756-0-0x0000000010000000-0x0000000012DB3000-memory.dmp

Filesize
45.7MB

Download
memory/756-9-0x0000000010000000-0x0000000012DB3000-memory.dmp

Filesize
45.7MB

Download
memory/936-121-0x0000000007C00000-0x0000000007C1A000-memory.dmp

Filesize
104KB

Download
memory/936-113-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/936-136-0x0000000071B80000-0x0000000072330000-memory.dmp

Filesize
7.7MB

Download
memory/936-133-0x0000000007B50000-0x0000000007B58000-memory.dmp

Filesize
32KB

Download
memory/936-118-0x0000000007B20000-0x0000000007B34000-memory.dmp

Filesize
80KB

Download
memory/936-76-0x0000000071B80000-0x0000000072330000-memory.dmp

Filesize
7.7MB

Download
memory/936-77-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/936-75-0x0000000002FE0000-0x0000000003016000-memory.dmp

Filesize
216KB

Download
memory/936-78-0x0000000005710000-0x0000000005D38000-memory.dmp

Filesize
6.2MB

Download
memory/936-79-0x0000000005D40000-0x0000000005D62000-memory.dmp

Filesize
136KB

Download
memory/936-80-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/936-117-0x0000000007B10000-0x0000000007B1E000-memory.dmp

Filesize
56KB

Download
memory/936-81-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/936-91-0x00000000060F0000-0x0000000006444000-memory.dmp

Filesize
3.3MB

Download
memory/936-92-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/936-93-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/936-114-0x0000000007AD0000-0x0000000007AE1000-memory.dmp

Filesize
68KB

Download
memory/936-95-0x000000007F160000-0x000000007F170000-memory.dmp

Filesize
64KB

Download
memory/936-96-0x0000000007550000-0x0000000007582000-memory.dmp

Filesize
200KB

Download
memory/936-97-0x000000006E510000-0x000000006E55C000-memory.dmp

Filesize
304KB

Download
memory/936-107-0x0000000006B50000-0x0000000006B6E000-memory.dmp

Filesize
120KB

Download
memory/936-108-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/936-109-0x0000000007790000-0x0000000007833000-memory.dmp

Filesize
652KB

Download
memory/936-110-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/936-111-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/936-112-0x0000000007940000-0x000000000794A000-memory.dmp

Filesize
40KB

Download
memory/2272-141-0x0000000008040000-0x00000000085E4000-memory.dmp

Filesize
5.6MB

Download
memory/2272-122-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/2272-162-0x0000000071B80000-0x0000000072330000-memory.dmp

Filesize
7.7MB

Download
memory/2272-144-0x0000000007050000-0x00000000070EC000-memory.dmp

Filesize
624KB

Download
memory/2272-143-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2272-120-0x0000000071B80000-0x0000000072330000-memory.dmp

Filesize
7.7MB

Download
memory/2272-140-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

Filesize
136KB

Download
memory/2272-123-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/4040-182-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-175-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-28-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-10-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-138-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-139-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-11-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-29-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-18-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-14-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-2-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4040-4-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-8-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-170-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-13-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-177-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-7-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-12-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-5-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-169-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-23-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-173-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-171-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4040-172-0x0000000000800000-0x0000000000882000-memory.dmp

Filesize
520KB

Download
memory/4720-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4720-160-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4720-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-165-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-168-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-164-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-163-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-174-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-161-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-188-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-189-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-190-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-191-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-192-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-193-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-195-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-196-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-198-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-199-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-204-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5112-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download