remcos | b96bcc8d4542d8644a5aef79d3e0a947770501b3dc7c75f67301fe605afb5407

Analysis

max time kernel
254s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

formulario_agendamiento_citas.msi
Size

2.8MB
MD5

86e199f73f01385585066e288c1738f3
SHA1

c7aaa0ed3d4177a71469667f617602b9517f2a48
SHA256

bcbcecf559e1506a12291cf270d6255f392a513ebca9464393d0a90efbaf9e63
SHA512

3d2a11d4093a90f5437e6c93c86473c6d773942aac9b66424d0e31d28c3016aa41b654742a5a98ec1aa9634e5a84f95498fef520c75a55dfbae022ad844f1756
SSDEEP

49152:x4WwasPIAyw9AiOFkw8xKBmk0PvpiUJjcW1gq+r6cWq7HSdqO0:CRnAA5POFl0KEBpiUJwW1gBTV7+0

Score

10^/10

remcos octubre 01 muchacha discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

OCTUBRE 01 MUCHACHA

imaxatmonk.imaxatmonk.com:2204

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Acobatlg.exe
copy_folder
edqelofh
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
bhgoktys
mouse_option
false
mutex
fnahofkts-AL3Z2Q
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Krycontrol_v5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3512 set thread context of 1444	3512	ManyCam.exe	105

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{91417BCE-1368-43B1-82BB-75D80C662650}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAC4.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b9cc.msi	msiexec.exe
File created	C:\Windows\Installer\e57b9ca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b9ca.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4312	ManyCam.exe
3512	ManyCam.exe

Loads dropped DLL 19 IoCs

pid	Process
4312	ManyCam.exe
4312	ManyCam.exe
4312	ManyCam.exe
4312	ManyCam.exe
4312	ManyCam.exe
4312	ManyCam.exe
4312	ManyCam.exe
4312	ManyCam.exe
4312	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
528	Krycontrol_v5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3984	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krycontrol_v5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ManyCam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	ManyCam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ManyCam.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Krycontrol_v5.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4612	msiexec.exe
4612	msiexec.exe
4312	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
3512	ManyCam.exe
1444	cmd.exe
1444	cmd.exe
1444	cmd.exe
1444	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3512	ManyCam.exe
1444	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3984	msiexec.exe
Token: SeSecurityPrivilege	4612	msiexec.exe
Token: SeCreateTokenPrivilege	3984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3984	msiexec.exe
Token: SeLockMemoryPrivilege	3984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3984	msiexec.exe
Token: SeMachineAccountPrivilege	3984	msiexec.exe
Token: SeTcbPrivilege	3984	msiexec.exe
Token: SeSecurityPrivilege	3984	msiexec.exe
Token: SeTakeOwnershipPrivilege	3984	msiexec.exe
Token: SeLoadDriverPrivilege	3984	msiexec.exe
Token: SeSystemProfilePrivilege	3984	msiexec.exe
Token: SeSystemtimePrivilege	3984	msiexec.exe
Token: SeProfSingleProcessPrivilege	3984	msiexec.exe
Token: SeIncBasePriorityPrivilege	3984	msiexec.exe
Token: SeCreatePagefilePrivilege	3984	msiexec.exe
Token: SeCreatePermanentPrivilege	3984	msiexec.exe
Token: SeBackupPrivilege	3984	msiexec.exe
Token: SeRestorePrivilege	3984	msiexec.exe
Token: SeShutdownPrivilege	3984	msiexec.exe
Token: SeDebugPrivilege	3984	msiexec.exe
Token: SeAuditPrivilege	3984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3984	msiexec.exe
Token: SeChangeNotifyPrivilege	3984	msiexec.exe
Token: SeRemoteShutdownPrivilege	3984	msiexec.exe
Token: SeUndockPrivilege	3984	msiexec.exe
Token: SeSyncAgentPrivilege	3984	msiexec.exe
Token: SeEnableDelegationPrivilege	3984	msiexec.exe
Token: SeManageVolumePrivilege	3984	msiexec.exe
Token: SeImpersonatePrivilege	3984	msiexec.exe
Token: SeCreateGlobalPrivilege	3984	msiexec.exe
Token: SeBackupPrivilege	2380	vssvc.exe
Token: SeRestorePrivilege	2380	vssvc.exe
Token: SeAuditPrivilege	2380	vssvc.exe
Token: SeBackupPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3984	msiexec.exe
3984	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
528	Krycontrol_v5.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2344	4612	msiexec.exe	99
PID 4612 wrote to memory of 2344	4612	msiexec.exe	99
PID 4612 wrote to memory of 4312	4612	msiexec.exe	101
PID 4612 wrote to memory of 4312	4612	msiexec.exe	101
PID 4612 wrote to memory of 4312	4612	msiexec.exe	101
PID 4312 wrote to memory of 3976	4312	ManyCam.exe	102
PID 4312 wrote to memory of 3976	4312	ManyCam.exe	102
PID 4312 wrote to memory of 3512	4312	ManyCam.exe	103
PID 4312 wrote to memory of 3512	4312	ManyCam.exe	103
PID 4312 wrote to memory of 3512	4312	ManyCam.exe	103
PID 3512 wrote to memory of 4596	3512	ManyCam.exe	104
PID 3512 wrote to memory of 4596	3512	ManyCam.exe	104
PID 3512 wrote to memory of 1444	3512	ManyCam.exe	105
PID 3512 wrote to memory of 1444	3512	ManyCam.exe	105
PID 3512 wrote to memory of 1444	3512	ManyCam.exe	105
PID 3512 wrote to memory of 1444	3512	ManyCam.exe	105
PID 1444 wrote to memory of 528	1444	cmd.exe	110
PID 1444 wrote to memory of 528	1444	cmd.exe	110
PID 1444 wrote to memory of 528	1444	cmd.exe	110
PID 1444 wrote to memory of 528	1444	cmd.exe	110
PID 1444 wrote to memory of 528	1444	cmd.exe	110
PID 1444 wrote to memory of 528	1444	cmd.exe	110
PID 528 wrote to memory of 3692	528	Krycontrol_v5.exe	119
PID 528 wrote to memory of 3692	528	Krycontrol_v5.exe	119
PID 528 wrote to memory of 3692	528	Krycontrol_v5.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formulario_agendamiento_citas.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2344
- C:\Users\Admin\AppData\Local\Commandership\ManyCam.exe
  "C:\Users\Admin\AppData\Local\Commandership\ManyCam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\pcaui.exe
    "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Commandership\ManyCam.exe"
    3⤵
    PID:3976
- - C:\Users\Admin\AppData\Roaming\Uninstalloracle_Ki\ManyCam.exe
    C:\Users\Admin\AppData\Roaming\Uninstalloracle_Ki\ManyCam.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\Uninstalloracle_Ki\ManyCam.exe"
      4⤵
      PID:4596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\Krycontrol_v5.exe
        
        C:\Users\Admin\AppData\Local\Temp\Krycontrol_v5.exe
        5⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:528
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\brwhxuvurrcbsjvbevyrxyivmgyqtpbnm.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b9cb.rbs

Filesize
9KB

MD5
c927384834b7f341d23147d6bb93325a

SHA1
a176ac22e38be990267fe701cf6857a26cfe6c6e

SHA256
44bf37b349abf951c7cafc5e4f49b399d55342526f85dda178be51cc85122276

SHA512
572de14c7a86797101009623571c6adeb188493e5dd0f20d68e15ed8bf61b3bd800561af9edf261f4f31afe78bf434a740627e00965ab9d46e405cae6d7043b5

Download Submit
C:\ProgramData\bhgoktys\logs.dat

Filesize
144B

MD5
f0029d132e66a625ef440ae54ab54b71

SHA1
3b9526742036c22e03d06b0d3b92516dea1099e7

SHA256
f8e321bf9e5ca8d1d5111fb97a9680af01f403b2a498c6d54df9bd4fc7400625

SHA512
eeaca952d7130dd33322b80eba4072d463a0a11c94ce788824d2c36418d5c330f97f80c666548c0b0166cfe1c613213aa41f9f6e8daf3611bf06af398406e153

Download Submit
C:\Users\Admin\AppData\Local\Commandership\CrashRpt.dll

Filesize
114KB

MD5
08dc2d56d688c17940179245cc47bbe4

SHA1
ec80b5b8c48e6cf5397f3244da16aea9578dcf20

SHA256
31a7fe8e8ee538a7089577037467ac7ba17b7b3ed9f052fc2e335ca721c43b55

SHA512
8b0f228e7abeb7ca41a3f6a9bcb1c14ed212946f204f5b9d60a3283d8df1105afbd850542313e3560be199e717a897a56628acbb99257673b946e30e05a292b9

Download Submit
C:\Users\Admin\AppData\Local\Commandership\ManyCam.exe

Filesize
1.7MB

MD5
ba699791249c311883baa8ce3432703b

SHA1
f8734601f9397cb5ebb8872af03f5b0639c2eac6

SHA256
7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

SHA512
6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

Download Submit
C:\Users\Admin\AppData\Local\Commandership\cexwqap

Filesize
31KB

MD5
5d937ce5e1dbbeaa8ad3442db4e133e0

SHA1
59ac86c9554f4657e5743be621c87103e62ee663

SHA256
ac5d3dd071e8fbf2a6215b9d491c852e044a6673918466aebff7acc674818e41

SHA512
1af6587c97fe402606d19724c614155f034691169b810068e8d0eb12a9a1c8951bd340f0e294ad217295fe0ca4469e1a048c13f01af6d8c805c245e1307c77e8

Download Submit
C:\Users\Admin\AppData\Local\Commandership\cv099.dll

Filesize
664KB

MD5
2a8b33fee2f84490d52a3a7c75254971

SHA1
16ce2b1632a17949b92ce32a6211296fee431dca

SHA256
faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

SHA512
8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

Download Submit
C:\Users\Admin\AppData\Local\Commandership\cxcore099.dll

Filesize
908KB

MD5
286284d4ae1c67d0d5666b1417dcd575

SHA1
8b8a32577051823b003c78c86054874491e9ecfa

SHA256
37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298

SHA512
2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

Download Submit
C:\Users\Admin\AppData\Local\Commandership\cximagecrt.dll

Filesize
487KB

MD5
c36f6e088c6457a43adb7edcd17803f3

SHA1
b25b9fb4c10b8421c8762c7e7b3747113d5702de

SHA256
8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

SHA512
87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

Download Submit
C:\Users\Admin\AppData\Local\Commandership\dbghelp.dll

Filesize
478KB

MD5
e458d88c71990f545ef941cd16080bad

SHA1
cd24ccec2493b64904cf3c139cd8d58d28d5993b

SHA256
5ec121730240548a85b7ef1f7e30d5fdbee153bb20dd92c2d44bf37395294ec0

SHA512
b1755e3db10b1d12d6eaffd1d91f5ca5e0f9f8ae1350675bc44ae7a4af4a48090a9828a8acbbc69c5813eac23e02576478113821cb2e04b6288e422f923b446f

Download Submit
C:\Users\Admin\AppData\Local\Commandership\highgui099.dll

Filesize
388KB

MD5
a354c42fcb37a50ecad8dde250f6119e

SHA1
0eb4ad5e90d28a4a8553d82cec53072279af1961

SHA256
89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

SHA512
981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

Download Submit
C:\Users\Admin\AppData\Local\Commandership\mutdi

Filesize
1.1MB

MD5
9eeaf634e41a42729f4afa7f3637fbf4

SHA1
323845cece34759031555902047c8826cbb68150

SHA256
f3668524182ad304fffe298dabeec28a8db3497c8e42b9fbdc02ee01efef6de2

SHA512
59f5b233230d7e1bab143503194e6ed30d41506e74ca28c079a83004fb14cce41e2403aa3fccc723c8fa55bf7d3226f50f560fa0348006ff699ff282a5509613

Download Submit
C:\Users\Admin\AppData\Local\Temp\64cb7648

Filesize
1.6MB

MD5
e1afc8743d0863cfcbbd02e44e21691f

SHA1
faf06111cc08440dea15412bce3fe330e4c00ff9

SHA256
e1bb7063298b6693e6643e07c0fa0c8b4176f757921d4c1eba1d6f335a3ea1ae

SHA512
405cd2a86dd723bb3ec564854dfcb46e73604c700c83af66ded774ae453774d361e7b736087062912467f57f4034692bac55613783093cdb0bd28ff60f4f48f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Krycontrol_v5.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Users\Admin\AppData\Local\Temp\brwhxuvurrcbsjvbevyrxyivmgyqtpbnm.vbs

Filesize
524B

MD5
ec7a491576cb8d5a212b720f12376bd6

SHA1
5aa33361d7d3d8acf5e322f8a8ed2eb19cdc46c3

SHA256
e14bcc33e69445e3cc63bb0faa27b4e7429ce4fc2b81b7a754b22ce43226252a

SHA512
84972fee445f78792967b184e9805258a9c20f769ce9284a4e4252e345222d6f17f1df297c172560d638d2c6d347e30a5db914ed043d8b7733d0b20ab2e8bcc2

Download Submit
C:\Windows\Installer\e57b9ca.msi

Filesize
2.8MB

MD5
86e199f73f01385585066e288c1738f3

SHA1
c7aaa0ed3d4177a71469667f617602b9517f2a48

SHA256
bcbcecf559e1506a12291cf270d6255f392a513ebca9464393d0a90efbaf9e63

SHA512
3d2a11d4093a90f5437e6c93c86473c6d773942aac9b66424d0e31d28c3016aa41b654742a5a98ec1aa9634e5a84f95498fef520c75a55dfbae022ad844f1756

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
ffaf0615b9e0304d4de2cd658c15b91d

SHA1
fc736d5d71ec7060fb8ed92683156286d5a6ff1b

SHA256
862e1bcfee1d36603afbb26d19a10832555ead83be4a825acc8551f30aa8dd95

SHA512
8b8cda2871eb99be6aaa55c996c750bade2d089121a4c4f0a8b6f816b31ab18b16913cf24a3f19fd33e5faf2abe142c2e4bf22887acf339a92979a59819d0d45

Download Submit
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c4a43e5-9711-4174-ab1c-49613568af96}_OnDiskSnapshotProp

Filesize
6KB

MD5
ccd9f022028ae328919b26be5d0d23d7

SHA1
307b4100ad62cdc9ef1698869e377e680625495e

SHA256
531576cce6d7fab179d04e8d1be28c94a746585e2b6329df9ba37bf8d3e3219f

SHA512
4b9f76a1d7d717d4ef776e6edba02cc60d97bca709cd22da53078cada6eb2ebb8afd92a248da8063c1c613181fb633198ce25848415912e00ae71209d551b02e

Download Submit
memory/528-124-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-127-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-136-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-130-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-133-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-121-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-118-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-143-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-112-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/528-111-0x00007FFC18FF0000-0x00007FFC191E5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-100-0x00007FFC18FF0000-0x00007FFC191E5000-memory.dmp

Filesize
2.0MB

Download
memory/1444-101-0x0000000074EF0000-0x000000007506B000-memory.dmp

Filesize
1.5MB

Download
memory/1444-104-0x0000000074EF0000-0x000000007506B000-memory.dmp

Filesize
1.5MB

Download
memory/3512-91-0x0000000001760000-0x000000000180D000-memory.dmp

Filesize
692KB

Download
memory/3512-97-0x0000000074EF0000-0x000000007506B000-memory.dmp

Filesize
1.5MB

Download
memory/3512-96-0x00007FFC18FF0000-0x00007FFC191E5000-memory.dmp

Filesize
2.0MB

Download
memory/3512-95-0x0000000074EF0000-0x000000007506B000-memory.dmp

Filesize
1.5MB

Download
memory/3512-89-0x0000000001810000-0x0000000001872000-memory.dmp

Filesize
392KB

Download
memory/3512-85-0x0000000000B40000-0x0000000000C2C000-memory.dmp

Filesize
944KB

Download
memory/4312-59-0x00007FFC18FF0000-0x00007FFC191E5000-memory.dmp

Filesize
2.0MB

Download
memory/4312-58-0x0000000074EF0000-0x000000007506B000-memory.dmp

Filesize
1.5MB

Download
memory/4312-46-0x0000000001BC0000-0x0000000001C6D000-memory.dmp

Filesize
692KB

Download
memory/4312-49-0x0000000001C70000-0x0000000001D5C000-memory.dmp

Filesize
944KB

Download
memory/4312-52-0x0000000001D60000-0x0000000001DC2000-memory.dmp

Filesize
392KB

Download