remcos | b96bcc8d4542d8644a5aef79d3e0a947770501b3dc7c75f67301fe605afb5407

Analysis

max time kernel
206s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/10/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

formulario_agendamiento_citas.msi
Size

2.8MB
MD5

86e199f73f01385585066e288c1738f3
SHA1

c7aaa0ed3d4177a71469667f617602b9517f2a48
SHA256

bcbcecf559e1506a12291cf270d6255f392a513ebca9464393d0a90efbaf9e63
SHA512

3d2a11d4093a90f5437e6c93c86473c6d773942aac9b66424d0e31d28c3016aa41b654742a5a98ec1aa9634e5a84f95498fef520c75a55dfbae022ad844f1756
SSDEEP

49152:x4WwasPIAyw9AiOFkw8xKBmk0PvpiUJjcW1gq+r6cWq7HSdqO0:CRnAA5POFl0KEBpiUJwW1gBTV7+0

Score

10^/10

remcos octubre 01 muchacha discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

OCTUBRE 01 MUCHACHA

imaxatmonk.imaxatmonk.com:2204

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Acobatlg.exe
copy_folder
edqelofh
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
bhgoktys
mouse_option
false
mutex
fnahofkts-AL3Z2Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 3084	4896	ManyCam.exe	83

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{91417BCE-1368-43B1-82BB-75D80C662650}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94AE.tmp	msiexec.exe
File created	C:\Windows\Installer\e5793d6.msi	msiexec.exe
File created	C:\Windows\Installer\e5793d4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5793d4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1300	ManyCam.exe
4896	ManyCam.exe

Loads dropped DLL 21 IoCs

pid	Process
1300	ManyCam.exe
1300	ManyCam.exe
1300	ManyCam.exe
1300	ManyCam.exe
1300	ManyCam.exe
1300	ManyCam.exe
1300	ManyCam.exe
1300	ManyCam.exe
1300	ManyCam.exe
1300	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
1828	Krycontrol_v5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2084	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krycontrol_v5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ManyCam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ManyCam.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Krycontrol_v5.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4232	msiexec.exe
4232	msiexec.exe
1300	ManyCam.exe
4896	ManyCam.exe
4896	ManyCam.exe
3084	cmd.exe
3084	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1828	Krycontrol_v5.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4896	ManyCam.exe
3084	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2084	msiexec.exe
Token: SeSecurityPrivilege	4232	msiexec.exe
Token: SeCreateTokenPrivilege	2084	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2084	msiexec.exe
Token: SeLockMemoryPrivilege	2084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2084	msiexec.exe
Token: SeMachineAccountPrivilege	2084	msiexec.exe
Token: SeTcbPrivilege	2084	msiexec.exe
Token: SeSecurityPrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeLoadDriverPrivilege	2084	msiexec.exe
Token: SeSystemProfilePrivilege	2084	msiexec.exe
Token: SeSystemtimePrivilege	2084	msiexec.exe
Token: SeProfSingleProcessPrivilege	2084	msiexec.exe
Token: SeIncBasePriorityPrivilege	2084	msiexec.exe
Token: SeCreatePagefilePrivilege	2084	msiexec.exe
Token: SeCreatePermanentPrivilege	2084	msiexec.exe
Token: SeBackupPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeShutdownPrivilege	2084	msiexec.exe
Token: SeDebugPrivilege	2084	msiexec.exe
Token: SeAuditPrivilege	2084	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2084	msiexec.exe
Token: SeChangeNotifyPrivilege	2084	msiexec.exe
Token: SeRemoteShutdownPrivilege	2084	msiexec.exe
Token: SeUndockPrivilege	2084	msiexec.exe
Token: SeSyncAgentPrivilege	2084	msiexec.exe
Token: SeEnableDelegationPrivilege	2084	msiexec.exe
Token: SeManageVolumePrivilege	2084	msiexec.exe
Token: SeImpersonatePrivilege	2084	msiexec.exe
Token: SeCreateGlobalPrivilege	2084	msiexec.exe
Token: SeBackupPrivilege	484	vssvc.exe
Token: SeRestorePrivilege	484	vssvc.exe
Token: SeAuditPrivilege	484	vssvc.exe
Token: SeBackupPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe
Token: SeTakeOwnershipPrivilege	4232	msiexec.exe
Token: SeRestorePrivilege	4232	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2084	msiexec.exe
2084	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	Krycontrol_v5.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4588	4232	msiexec.exe	77
PID 4232 wrote to memory of 4588	4232	msiexec.exe	77
PID 4232 wrote to memory of 1300	4232	msiexec.exe	79
PID 4232 wrote to memory of 1300	4232	msiexec.exe	79
PID 4232 wrote to memory of 1300	4232	msiexec.exe	79
PID 1300 wrote to memory of 2136	1300	ManyCam.exe	80
PID 1300 wrote to memory of 2136	1300	ManyCam.exe	80
PID 1300 wrote to memory of 4896	1300	ManyCam.exe	81
PID 1300 wrote to memory of 4896	1300	ManyCam.exe	81
PID 1300 wrote to memory of 4896	1300	ManyCam.exe	81
PID 4896 wrote to memory of 3492	4896	ManyCam.exe	82
PID 4896 wrote to memory of 3492	4896	ManyCam.exe	82
PID 4896 wrote to memory of 3084	4896	ManyCam.exe	83
PID 4896 wrote to memory of 3084	4896	ManyCam.exe	83
PID 4896 wrote to memory of 3084	4896	ManyCam.exe	83
PID 4896 wrote to memory of 3084	4896	ManyCam.exe	83
PID 3084 wrote to memory of 1828	3084	cmd.exe	85
PID 3084 wrote to memory of 1828	3084	cmd.exe	85
PID 3084 wrote to memory of 1828	3084	cmd.exe	85
PID 3084 wrote to memory of 1828	3084	cmd.exe	85
PID 3084 wrote to memory of 1828	3084	cmd.exe	85
PID 3084 wrote to memory of 1828	3084	cmd.exe	85
PID 1828 wrote to memory of 3008	1828	Krycontrol_v5.exe	86
PID 1828 wrote to memory of 3008	1828	Krycontrol_v5.exe	86
PID 1828 wrote to memory of 3008	1828	Krycontrol_v5.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formulario_agendamiento_citas.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4588
- C:\Users\Admin\AppData\Local\Commandership\ManyCam.exe
  "C:\Users\Admin\AppData\Local\Commandership\ManyCam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\system32\pcaui.exe
    "C:\Windows\system32\pcaui.exe" /g {11111111-1111-1111-1111-111111111111} /x {bce4b583-343f-44b8-8f95-9f76104077b9} /a "ManyCam" /v "ManyCam LLC" /s "To function properly, ManyCam must be reinstalled after you upgrade Windows." /b 4 /f 0 /k 0 /e "C:\Users\Admin\AppData\Local\Commandership\ManyCam.exe"
    3⤵
    PID:2136
- - C:\Users\Admin\AppData\Roaming\Uninstalloracle_Ki\ManyCam.exe
    C:\Users\Admin\AppData\Roaming\Uninstalloracle_Ki\ManyCam.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" /g {11111111-1111-1111-1111-111111111111} /x {bce4b583-343f-44b8-8f95-9f76104077b9} /a "ManyCam" /v "ManyCam LLC" /s "To function properly, ManyCam must be reinstalled after you upgrade Windows." /b 4 /f 0 /k 0 /e "C:\Users\Admin\AppData\Roaming\Uninstalloracle_Ki\ManyCam.exe"
      4⤵
      PID:3492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3084
    - - C:\Users\Admin\AppData\Local\Temp\Krycontrol_v5.exe
        
        C:\Users\Admin\AppData\Local\Temp\Krycontrol_v5.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nvemngzivjqy.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5793d5.rbs

Filesize
9KB

MD5
d894c132463aba332ddeb6ab75ed21df

SHA1
b7b3154534cd6f195ae9090c852284206b2e1c87

SHA256
1a5c63f77a14aafc41c6bd722d05c495eb176cd15b770ee3ca30381487b528e9

SHA512
80b9dddf34a059a96e7b70e74e3e1820a2561708df40f9274ccfdaa8b6dac1be4d872531ca0519957f2e0b39603e970f6ac5bfc8aaaa059f366ddeea309bcf8f

Download Submit
C:\ProgramData\bhgoktys\logs.dat

Filesize
144B

MD5
516b189ce0fdf1ee30a8c5dd8f1708fe

SHA1
c9835d6131ea483cd05a4c4c1d3fdbf3cf4dacfd

SHA256
e49301726e95a4e185d6303993747e3e4dbc9db33c2a10c997bd9306beec1495

SHA512
a23c8c97136376a51aa01b676a043ab6d2bb55ef0545d3c9f03bb6158b86394164fb395344389b8d6f014c1cec46e6919fe163624dc24569b1796faab6aab9c3

Download Submit
C:\ProgramData\bhgoktys\logs.dat

Filesize
224B

MD5
b9083b3b34689375c8d9bad1d33e1a91

SHA1
f1af04ec0562b1cea03b45599f6efd1bf6a9bb49

SHA256
caaadceb33f66991f34f73b439a9f5d0e6361dcb89eafeb2e577fa882bbd0db7

SHA512
c13b018162cd4f944ad585e1be83a99fc145ed0758cbe96299991f9361a4f1ab448a1e43a6fe45ecaf48a831a1344736a29109b715461533702621b89c72b8f2

Download Submit
C:\Users\Admin\AppData\Local\Commandership\ManyCam.exe

Filesize
1.7MB

MD5
ba699791249c311883baa8ce3432703b

SHA1
f8734601f9397cb5ebb8872af03f5b0639c2eac6

SHA256
7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

SHA512
6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

Download Submit
C:\Users\Admin\AppData\Local\Commandership\cexwqap

Filesize
31KB

MD5
5d937ce5e1dbbeaa8ad3442db4e133e0

SHA1
59ac86c9554f4657e5743be621c87103e62ee663

SHA256
ac5d3dd071e8fbf2a6215b9d491c852e044a6673918466aebff7acc674818e41

SHA512
1af6587c97fe402606d19724c614155f034691169b810068e8d0eb12a9a1c8951bd340f0e294ad217295fe0ca4469e1a048c13f01af6d8c805c245e1307c77e8

Download Submit
C:\Users\Admin\AppData\Local\Commandership\cxcore099.dll

Filesize
908KB

MD5
286284d4ae1c67d0d5666b1417dcd575

SHA1
8b8a32577051823b003c78c86054874491e9ecfa

SHA256
37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298

SHA512
2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

Download Submit
C:\Users\Admin\AppData\Local\Commandership\mutdi

Filesize
1.1MB

MD5
9eeaf634e41a42729f4afa7f3637fbf4

SHA1
323845cece34759031555902047c8826cbb68150

SHA256
f3668524182ad304fffe298dabeec28a8db3497c8e42b9fbdc02ee01efef6de2

SHA512
59f5b233230d7e1bab143503194e6ed30d41506e74ca28c079a83004fb14cce41e2403aa3fccc723c8fa55bf7d3226f50f560fa0348006ff699ff282a5509613

Download Submit
C:\Users\Admin\AppData\Local\Temp\20dbe74e

Filesize
1.6MB

MD5
a8b45440676151e387ecdbfe9382d29f

SHA1
d1b6e1a0ca24f639fac08467fc2b79bbeceeeb3e

SHA256
c1e3de57b85a0c417c5047c49220f087d02317200448596879736a8ad6300dc6

SHA512
1def4f4a49c119d71171cb2be1465bb1dc505e2a049f13a9a933dee119240e13779185989653c6fea5ded86ef449a98d9703fcff08c72610307a565c51ed4428

Download Submit
C:\Users\Admin\AppData\Local\Temp\Krycontrol_v5.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvemngzivjqy.vbs

Filesize
524B

MD5
ec7a491576cb8d5a212b720f12376bd6

SHA1
5aa33361d7d3d8acf5e322f8a8ed2eb19cdc46c3

SHA256
e14bcc33e69445e3cc63bb0faa27b4e7429ce4fc2b81b7a754b22ce43226252a

SHA512
84972fee445f78792967b184e9805258a9c20f769ce9284a4e4252e345222d6f17f1df297c172560d638d2c6d347e30a5db914ed043d8b7733d0b20ab2e8bcc2

Download Submit
C:\Windows\Installer\e5793d4.msi

Filesize
2.8MB

MD5
86e199f73f01385585066e288c1738f3

SHA1
c7aaa0ed3d4177a71469667f617602b9517f2a48

SHA256
bcbcecf559e1506a12291cf270d6255f392a513ebca9464393d0a90efbaf9e63

SHA512
3d2a11d4093a90f5437e6c93c86473c6d773942aac9b66424d0e31d28c3016aa41b654742a5a98ec1aa9634e5a84f95498fef520c75a55dfbae022ad844f1756

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
41d03d1517e339d99399e0b171dc1d2c

SHA1
491aa65b4d39ca6ba8bc84646938f12971de5db8

SHA256
f3fd5dce5a3fe039cfd6e916f9912c8a1cec0cb010e2a2c64a767b8687e661ea

SHA512
d86f87abd60c0c476031e789ea91e774e8a726e1b9d2c36703f2820604e757199d348c8f902f7c8a2f2514110dea9d961d9c26cc3e64cf20620136cbee183b64

Download Submit
\??\Volume{38fc7460-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{79261aea-d431-43a3-834d-be0ac49ef29e}_OnDiskSnapshotProp

Filesize
5KB

MD5
09de73ed560aea9181dc7b6337ab398c

SHA1
0a9b077c98d2ac5ef6c9ff45c4888cefec16d0c5

SHA256
0ec5cd80cb0ec28b82fae44e46d429d566dfe58a841eb134d59f5116bbeed187

SHA512
91b16653d720360da72aa834a7e8822210c678e8578de13896f46043b6ef0bfbd302240960ededd491cabc35e1909db258e22c34c2ae184745da825dc412530f

Download Submit
\Users\Admin\AppData\Local\Commandership\CrashRpt.dll

Filesize
114KB

MD5
08dc2d56d688c17940179245cc47bbe4

SHA1
ec80b5b8c48e6cf5397f3244da16aea9578dcf20

SHA256
31a7fe8e8ee538a7089577037467ac7ba17b7b3ed9f052fc2e335ca721c43b55

SHA512
8b0f228e7abeb7ca41a3f6a9bcb1c14ed212946f204f5b9d60a3283d8df1105afbd850542313e3560be199e717a897a56628acbb99257673b946e30e05a292b9

Download Submit
\Users\Admin\AppData\Local\Commandership\cv099.dll

Filesize
664KB

MD5
2a8b33fee2f84490d52a3a7c75254971

SHA1
16ce2b1632a17949b92ce32a6211296fee431dca

SHA256
faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

SHA512
8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

Download Submit
\Users\Admin\AppData\Local\Commandership\cximagecrt.dll

Filesize
487KB

MD5
c36f6e088c6457a43adb7edcd17803f3

SHA1
b25b9fb4c10b8421c8762c7e7b3747113d5702de

SHA256
8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

SHA512
87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

Download Submit
\Users\Admin\AppData\Local\Commandership\dbghelp.dll

Filesize
478KB

MD5
e458d88c71990f545ef941cd16080bad

SHA1
cd24ccec2493b64904cf3c139cd8d58d28d5993b

SHA256
5ec121730240548a85b7ef1f7e30d5fdbee153bb20dd92c2d44bf37395294ec0

SHA512
b1755e3db10b1d12d6eaffd1d91f5ca5e0f9f8ae1350675bc44ae7a4af4a48090a9828a8acbbc69c5813eac23e02576478113821cb2e04b6288e422f923b446f

Download Submit
\Users\Admin\AppData\Local\Commandership\highgui099.dll

Filesize
388KB

MD5
a354c42fcb37a50ecad8dde250f6119e

SHA1
0eb4ad5e90d28a4a8553d82cec53072279af1961

SHA256
89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

SHA512
981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

Download Submit
memory/1300-56-0x0000000000D20000-0x0000000000D82000-memory.dmp

Filesize
392KB

Download
memory/1300-66-0x00007FFB4E7E0000-0x00007FFB4E9BB000-memory.dmp

Filesize
1.9MB

Download
memory/1300-65-0x0000000073540000-0x00000000736BB000-memory.dmp

Filesize
1.5MB

Download
memory/1300-50-0x0000000000B80000-0x0000000000BF8000-memory.dmp

Filesize
480KB

Download
memory/1300-59-0x0000000001DC0000-0x0000000001E6D000-memory.dmp

Filesize
692KB

Download
memory/1300-53-0x0000000000C20000-0x0000000000D0C000-memory.dmp

Filesize
944KB

Download
memory/1828-125-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-131-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-157-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-137-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-134-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-143-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-151-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-121-0x00007FFB4E7E0000-0x00007FFB4E9BB000-memory.dmp

Filesize
1.9MB

Download
memory/1828-122-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-148-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1828-140-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3084-114-0x0000000073540000-0x00000000736BB000-memory.dmp

Filesize
1.5MB

Download
memory/3084-111-0x0000000073540000-0x00000000736BB000-memory.dmp

Filesize
1.5MB

Download
memory/3084-110-0x00007FFB4E7E0000-0x00007FFB4E9BB000-memory.dmp

Filesize
1.9MB

Download
memory/4896-105-0x0000000073540000-0x00000000736BB000-memory.dmp

Filesize
1.5MB

Download
memory/4896-95-0x0000000001C80000-0x0000000001D6C000-memory.dmp

Filesize
944KB

Download
memory/4896-92-0x0000000001C00000-0x0000000001C78000-memory.dmp

Filesize
480KB

Download
memory/4896-107-0x0000000073540000-0x00000000736BB000-memory.dmp

Filesize
1.5MB

Download
memory/4896-98-0x0000000001D70000-0x0000000001DD2000-memory.dmp

Filesize
392KB

Download
memory/4896-106-0x00007FFB4E7E0000-0x00007FFB4E9BB000-memory.dmp

Filesize
1.9MB

Download
memory/4896-101-0x0000000001DE0000-0x0000000001E8D000-memory.dmp

Filesize
692KB

Download