Malware Analysis Report

2024-11-13 18:48

Sample ID 240726-h18vjaxbjg
Target f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe
SHA256 f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2
Tags
remcos remotehost discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2

Threat Level: Known bad

The file f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery rat

Remcos

Suspicious use of NtCreateUserProcessOtherParentProcess

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Drops startup file

Enumerates processes with tasklist

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 07:13

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 07:13

Reported

2024-07-26 07:15

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Remcos

rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4284 created 3460 N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1504 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1504 wrote to memory of 956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1504 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1504 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1504 wrote to memory of 3972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1504 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1504 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1504 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1504 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1504 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1504 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1504 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif
PID 1504 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif
PID 1504 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif
PID 1504 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1504 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1504 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4284 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe

"C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Spending Spending.bat & Spending.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 4684

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Nextel + Foot + Carroll + Deviant + Cemetery 4684\Travelling.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Wiki + Pharmacies + Quilt + Either 4684\E

C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif

4684\Travelling.pif 4684\E

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & echo URL="C:\Users\Admin\AppData\Local\MindFlow Innovations Co\MindSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 VROesbkaGG.VROesbkaGG udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
UA 31.43.185.8:2202 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
UA 31.43.185.8:2202 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\Spending

MD5 5a1321d892070c60f726edc3e3692ab7
SHA1 ecdda384d7aa6e3e0c289fdf44652de169aefde6
SHA256 ca250bb73ec2afb3e14d2f9bf363623cfa528c8c195be5014e578b2b55c20713
SHA512 2986f8ef18d920d31fdd9851302b0e7fea995abe3f00ccc23dcbb0619645537a9b5aad6720991ea68f037085a70f4caca9b4a7777130753a875fb8f2659e982b

C:\Users\Admin\AppData\Local\Temp\Nextel

MD5 fdbd6f9f8d264754709a9a392e5166c2
SHA1 a6026b0a6e26427676a7eba319a0fad436fb5a46
SHA256 9ca8693b734561301b95c2a285578b3559ede64a0fc10fdf85a9ff7ef440e840
SHA512 5c78a6f1ce8526f649e15354973e5f32f2bfa83fd195d934efb403c3c474c3a876b0d732dc0c519c98ab45e2bc25a89c91465b5a99a90ea0cc834c2bde665c83

C:\Users\Admin\AppData\Local\Temp\Carroll

MD5 cdf5ce2b2740794fb5638a60c97d6ca7
SHA1 68e967c2267b4631fa8f068bdce84db1f02fe0ed
SHA256 f050298d5a56ae17bececcb622d8115f5f74de3c0c2a261ced812a6b5538d23d
SHA512 3a41ea23b3cc21fe1811ad728addbedf0354052ef134698807c0936113a8c5a403f2220bb76519b5159c4cb90029b49320c71b0f71b89534df0250b9fd3c1d51

C:\Users\Admin\AppData\Local\Temp\Foot

MD5 7735d4e2e9fd3e829340f06b7a47e0fc
SHA1 ade0d827c011e03cd3d3a6b4cd544fc4227c5122
SHA256 bc463e36242a65e435fb9894b2803a645df73b7c3e9257065abb5879fcaf204a
SHA512 1dce04c21d60bc459949d8de9bdbb16a75d57f44d92cdef53e00d5c5daa5fc322d3c230b4a99b39e3c044559a90361a6782b7805062ff5feb630c8acc43daed5

C:\Users\Admin\AppData\Local\Temp\Deviant

MD5 497d3bd5165a8545a5b4dcf3a842f721
SHA1 41e3dc37a0eb4b0fdd17bc4aa21503022744de08
SHA256 3eb173ae116ea9ae4e6041a352c444ad663a1564767f80061fd50a29c7b7ca85
SHA512 93d8787c5770a93386b4ca12544bf7b5bdbbbf9c1b94f8ba78fa5ec52aa9b53efb1fda4676d2372867cc5f0b78a07bc679dd994a16399b7824dde706de139e48

C:\Users\Admin\AppData\Local\Temp\Cemetery

MD5 47f942807f5dec3c5107788292d0fecd
SHA1 21da1ca4ac2a0dc11c4d30c70f1d7d41025c5116
SHA256 423618830ed07bd79ec3a92b102c504f69942819d126e7538980fcfdd21e254b
SHA512 8622ac215805cfa7766bf0d0e5f25e0b5ebdf1085c34232b2eeb2b4063a4a5abbf7697ce97a26d5a0f4a2abff18c84282fd92ba637dec3911689518d758784de

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 9a2a73b89ef29c867db353c905ba26b2
SHA1 202e2c7d9c9b87957ed0e0a6b6398b9356846ae0
SHA256 210c3ce2c7ec2616a45d6ac957325e34d58e01ab16a717cdced47d563d8fba5a
SHA512 29b98bf683710dec760cb945c2322e95afec0d230d15eff251e241837922ca9eb88517d524a9336e7d951cacf4147faff4564981e549fec047b6dd73e909fed7

C:\Users\Admin\AppData\Local\Temp\Pharmacies

MD5 1bc99d6790ad7980b06e0155053fa85d
SHA1 080584bee5fe0fbe1c0e12ec667dfbd4d11ae11d
SHA256 2f6fc0b13b490c15737b3b284e3275e6762f83e997369cade8478351adf3003d
SHA512 38a13f718f9b048da052cd46344c16ca0c24b4b62f4218c6f18d3abcd3120460c129b5bd1ad4ff77e0b6876cc983cb9a6a67a3bc44c822c4c5734718aabf8f80

C:\Users\Admin\AppData\Local\Temp\Either

MD5 3ce1f10bafb24d85a3b76ea4d5aa70db
SHA1 37e31294b91bf67cdce1e1d58342f7f97f284e6a
SHA256 c2bd0e0bfd089366a5cd49db1a7f4c9c4b2c6b3c92924319de3a18c7b75a0b32
SHA512 2c0ca237084b3b5e7015a77d7cb3c874e19086ae464ae49a751e4da1c124a243baf6b0d73aee7bfc1f17862fc2f24a9f85f45cac402befd0c7e42a7d68e78f7c

C:\Users\Admin\AppData\Local\Temp\Quilt

MD5 55a984e33e1bc5af3daa8243b4fcdf41
SHA1 a32a48801302c293749a478cbdddde2de3fb56e2
SHA256 566df799d543d8a004f050cf673f29d0bc47c70d328b207bc526c335379565d6
SHA512 f6970220400611bd4b58fc13147fe2f7552b96bf48bf2589b37e5fb41bc988f095431ffb35b6c2943ed5a7405a2ca427f2ee5e26795ea3a1071b32c9fb347c7f

C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\4684\E

MD5 58cb40a5a8e893df0b75dbf70ed10162
SHA1 9bc860f702f5b8f6dc2eb437e23ed41362cfceb1
SHA256 4a93e17001bc7b6329e51c9d87661a55194983eb7fd4e856695b39a9dfab2a43
SHA512 3031ee0b19aec56b04e9cfbcf0d4f267f87cdd4ca167b7871607fa58aaa3d68c7dc09a89ffed4c82e982ff3e5b05e1b45e9221fb613eebd9cfcc8e807d6e8fc7

memory/4284-32-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-31-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-33-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-34-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-35-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-38-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-37-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-36-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-39-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-40-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-41-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-42-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-43-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-44-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-45-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-46-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-47-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-48-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-49-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-50-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-51-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-52-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-53-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-54-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-55-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-56-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-57-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-58-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-59-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-60-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-61-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-62-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-63-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-64-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-65-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-66-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-67-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-68-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-69-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-70-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-71-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-72-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-73-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-74-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-75-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-76-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-77-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-78-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-79-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-80-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-81-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-82-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-83-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-84-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-85-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-86-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-87-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-88-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-89-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-90-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-91-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-92-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-93-0x0000000000080000-0x00000000000F5000-memory.dmp

memory/4284-94-0x0000000000080000-0x00000000000F5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 07:13

Reported

2024-07-26 07:15

Platform

win7-20240705-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Remcos

rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1480 created 1256 N/A C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif C:\Windows\Explorer.EXE

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2844 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2844 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif
PID 2844 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif
PID 2844 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif
PID 2844 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif
PID 2844 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2844 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2844 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2844 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1480 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe

"C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Spending Spending.bat & Spending.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 4681

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Nextel + Foot + Carroll + Deviant + Cemetery 4681\Travelling.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Wiki + Pharmacies + Quilt + Either 4681\E

C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif

4681\Travelling.pif 4681\E

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & echo URL="C:\Users\Admin\AppData\Local\MindFlow Innovations Co\MindSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 VROesbkaGG.VROesbkaGG udp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp
UA 31.43.185.8:2202 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Spending

MD5 5a1321d892070c60f726edc3e3692ab7
SHA1 ecdda384d7aa6e3e0c289fdf44652de169aefde6
SHA256 ca250bb73ec2afb3e14d2f9bf363623cfa528c8c195be5014e578b2b55c20713
SHA512 2986f8ef18d920d31fdd9851302b0e7fea995abe3f00ccc23dcbb0619645537a9b5aad6720991ea68f037085a70f4caca9b4a7777130753a875fb8f2659e982b

C:\Users\Admin\AppData\Local\Temp\Nextel

MD5 fdbd6f9f8d264754709a9a392e5166c2
SHA1 a6026b0a6e26427676a7eba319a0fad436fb5a46
SHA256 9ca8693b734561301b95c2a285578b3559ede64a0fc10fdf85a9ff7ef440e840
SHA512 5c78a6f1ce8526f649e15354973e5f32f2bfa83fd195d934efb403c3c474c3a876b0d732dc0c519c98ab45e2bc25a89c91465b5a99a90ea0cc834c2bde665c83

C:\Users\Admin\AppData\Local\Temp\Foot

MD5 7735d4e2e9fd3e829340f06b7a47e0fc
SHA1 ade0d827c011e03cd3d3a6b4cd544fc4227c5122
SHA256 bc463e36242a65e435fb9894b2803a645df73b7c3e9257065abb5879fcaf204a
SHA512 1dce04c21d60bc459949d8de9bdbb16a75d57f44d92cdef53e00d5c5daa5fc322d3c230b4a99b39e3c044559a90361a6782b7805062ff5feb630c8acc43daed5

C:\Users\Admin\AppData\Local\Temp\Carroll

MD5 cdf5ce2b2740794fb5638a60c97d6ca7
SHA1 68e967c2267b4631fa8f068bdce84db1f02fe0ed
SHA256 f050298d5a56ae17bececcb622d8115f5f74de3c0c2a261ced812a6b5538d23d
SHA512 3a41ea23b3cc21fe1811ad728addbedf0354052ef134698807c0936113a8c5a403f2220bb76519b5159c4cb90029b49320c71b0f71b89534df0250b9fd3c1d51

C:\Users\Admin\AppData\Local\Temp\Deviant

MD5 497d3bd5165a8545a5b4dcf3a842f721
SHA1 41e3dc37a0eb4b0fdd17bc4aa21503022744de08
SHA256 3eb173ae116ea9ae4e6041a352c444ad663a1564767f80061fd50a29c7b7ca85
SHA512 93d8787c5770a93386b4ca12544bf7b5bdbbbf9c1b94f8ba78fa5ec52aa9b53efb1fda4676d2372867cc5f0b78a07bc679dd994a16399b7824dde706de139e48

C:\Users\Admin\AppData\Local\Temp\Cemetery

MD5 47f942807f5dec3c5107788292d0fecd
SHA1 21da1ca4ac2a0dc11c4d30c70f1d7d41025c5116
SHA256 423618830ed07bd79ec3a92b102c504f69942819d126e7538980fcfdd21e254b
SHA512 8622ac215805cfa7766bf0d0e5f25e0b5ebdf1085c34232b2eeb2b4063a4a5abbf7697ce97a26d5a0f4a2abff18c84282fd92ba637dec3911689518d758784de

C:\Users\Admin\AppData\Local\Temp\Wiki

MD5 9a2a73b89ef29c867db353c905ba26b2
SHA1 202e2c7d9c9b87957ed0e0a6b6398b9356846ae0
SHA256 210c3ce2c7ec2616a45d6ac957325e34d58e01ab16a717cdced47d563d8fba5a
SHA512 29b98bf683710dec760cb945c2322e95afec0d230d15eff251e241837922ca9eb88517d524a9336e7d951cacf4147faff4564981e549fec047b6dd73e909fed7

C:\Users\Admin\AppData\Local\Temp\Pharmacies

MD5 1bc99d6790ad7980b06e0155053fa85d
SHA1 080584bee5fe0fbe1c0e12ec667dfbd4d11ae11d
SHA256 2f6fc0b13b490c15737b3b284e3275e6762f83e997369cade8478351adf3003d
SHA512 38a13f718f9b048da052cd46344c16ca0c24b4b62f4218c6f18d3abcd3120460c129b5bd1ad4ff77e0b6876cc983cb9a6a67a3bc44c822c4c5734718aabf8f80

C:\Users\Admin\AppData\Local\Temp\Quilt

MD5 55a984e33e1bc5af3daa8243b4fcdf41
SHA1 a32a48801302c293749a478cbdddde2de3fb56e2
SHA256 566df799d543d8a004f050cf673f29d0bc47c70d328b207bc526c335379565d6
SHA512 f6970220400611bd4b58fc13147fe2f7552b96bf48bf2589b37e5fb41bc988f095431ffb35b6c2943ed5a7405a2ca427f2ee5e26795ea3a1071b32c9fb347c7f

C:\Users\Admin\AppData\Local\Temp\Either

MD5 3ce1f10bafb24d85a3b76ea4d5aa70db
SHA1 37e31294b91bf67cdce1e1d58342f7f97f284e6a
SHA256 c2bd0e0bfd089366a5cd49db1a7f4c9c4b2c6b3c92924319de3a18c7b75a0b32
SHA512 2c0ca237084b3b5e7015a77d7cb3c874e19086ae464ae49a751e4da1c124a243baf6b0d73aee7bfc1f17862fc2f24a9f85f45cac402befd0c7e42a7d68e78f7c

\Users\Admin\AppData\Local\Temp\4681\Travelling.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\4681\E

MD5 58cb40a5a8e893df0b75dbf70ed10162
SHA1 9bc860f702f5b8f6dc2eb437e23ed41362cfceb1
SHA256 4a93e17001bc7b6329e51c9d87661a55194983eb7fd4e856695b39a9dfab2a43
SHA512 3031ee0b19aec56b04e9cfbcf0d4f267f87cdd4ca167b7871607fa58aaa3d68c7dc09a89ffed4c82e982ff3e5b05e1b45e9221fb613eebd9cfcc8e807d6e8fc7

memory/1480-31-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-32-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-33-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-34-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-35-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-36-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-37-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-38-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-40-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-39-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-41-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-42-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-43-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-44-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-45-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-46-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-47-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-48-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-49-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-50-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-51-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-52-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-53-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-54-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-55-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-56-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-57-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-58-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-59-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-60-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-61-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-62-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-63-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-64-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-65-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-66-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-67-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-68-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-69-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-70-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-71-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-72-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-73-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-74-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-75-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-76-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-77-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-78-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-79-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-80-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-81-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-82-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-83-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-84-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-85-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-86-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-87-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-88-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-89-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-90-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-91-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-92-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-93-0x00000000043C0000-0x0000000004435000-memory.dmp

memory/1480-94-0x00000000043C0000-0x0000000004435000-memory.dmp