Malware Analysis Report

2024-12-07 03:17

Sample ID 241114-ce1ddashlf
Target 14112024_0200_13112024_QUOTATION-- #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.7z
SHA256 aae02ab2461de2d26dcc070a13c6fa1e32b843d5ea8de7bf7affa260a0e2a570
Tags
remcos slaves collection discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aae02ab2461de2d26dcc070a13c6fa1e32b843d5ea8de7bf7affa260a0e2a570

Threat Level: Known bad

The file 14112024_0200_13112024_QUOTATION-- #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.7z was found to be: Known bad.

Malicious Activity Summary

remcos slaves collection discovery persistence rat

Remcos family

Remcos

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:00

Reported

2024-11-14 02:05

Platform

win7-20240708-en

Max time kernel

297s

Max time network

296s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Videoss = "C:\\Users\\Admin\\AppData\\Roaming\\Images.exe" C:\Windows\SysWOW64\reg.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Images.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2312 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2312 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2312 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2384 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2312 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2720 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2720 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2720 wrote to memory of 584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 584 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 896 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2152 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 19 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 19

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe" "C:\Users\Admin\AppData\Roaming\Images.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 18

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 18

C:\Users\Admin\AppData\Roaming\Images.exe

"C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\dinpuwigtss"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\ndshvgsahbkpjzq"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\xffawylbvjcumfezdf"

Network

Country Destination Domain Proto
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 66.63.163.134:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 66.63.163.134:1604 windowslavesclient.duckdns.org tcp

Files

memory/2384-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2384-1-0x0000000000240000-0x0000000000386000-memory.dmp

memory/2384-2-0x0000000000390000-0x00000000003D4000-memory.dmp

memory/2384-3-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2384-4-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2384-5-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2384-6-0x0000000074630000-0x0000000074D1E000-memory.dmp

\Users\Admin\AppData\Roaming\Images.exe

MD5 5c44a72a49fe4fbc94f1c1aa8cbf0ab6
SHA1 d0d0903f73b4aa11ee580fb6fd8d80775e6e88de
SHA256 39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129
SHA512 d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97

memory/584-17-0x0000000000060000-0x00000000001A6000-memory.dmp

memory/584-18-0x00000000007B0000-0x00000000007CA000-memory.dmp

memory/584-19-0x0000000000790000-0x0000000000796000-memory.dmp

memory/2152-20-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-28-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-30-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-26-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-24-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-22-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2152-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-34-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-36-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-37-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-42-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-43-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-45-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-46-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-47-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-52-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-53-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-54-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-55-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-58-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-59-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-60-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-61-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-62-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-63-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-65-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-66-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-67-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-68-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-69-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-72-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-74-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-76-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-77-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-78-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-79-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-80-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-81-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-82-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2152-83-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dinpuwigtss

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 02:00

Reported

2024-11-14 02:05

Platform

win10v2004-20241007-en

Max time kernel

297s

Max time network

296s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Videoss = "C:\\Users\\Admin\\AppData\\Roaming\\Images.exe" C:\Windows\SysWOW64\reg.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Images.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 840 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 840 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4552 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4596 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4596 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 840 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 840 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4596 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4596 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4596 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 4596 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 4596 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2688 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4344 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 3312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 3312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 3312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4920 wrote to memory of 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 19 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 19

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 29 > nul && copy "C:\Users\Admin\AppData\Local\Temp\QUOTATION #46789RFQ_SUPLM_NOV24_SALEH_CONSTRUCTIONS_LLC_PDF.exe" "C:\Users\Admin\AppData\Roaming\Images.exe" && ping 127.0.0.1 -n 29 > nul && "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 29

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 29

C:\Users\Admin\AppData\Roaming\Images.exe

"C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\fujgzlhhsdokrxfmji"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\pwozsesjglgptdtqsscgt"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\rqussodcutycejpcbdohesbma"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\rqussodcutycejpcbdohesbma"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\rqussodcutycejpcbdohesbma"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 66.63.163.134:1604 windowslavesclient.duckdns.org tcp
US 66.63.163.134:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
US 8.8.8.8:53 134.163.63.66.in-addr.arpa udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp

Files

memory/4552-0-0x000000007462E000-0x000000007462F000-memory.dmp

memory/4552-1-0x0000000000F20000-0x0000000001066000-memory.dmp

memory/4552-2-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

memory/4552-3-0x0000000005500000-0x0000000005AA4000-memory.dmp

memory/4552-4-0x0000000004FF0000-0x0000000005082000-memory.dmp

memory/4552-5-0x0000000004E50000-0x0000000004E94000-memory.dmp

memory/4552-6-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4552-7-0x0000000005110000-0x000000000511A000-memory.dmp

memory/4552-8-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4552-9-0x000000007462E000-0x000000007462F000-memory.dmp

memory/4552-10-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4552-12-0x0000000074620000-0x0000000074DD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Images.exe

MD5 5c44a72a49fe4fbc94f1c1aa8cbf0ab6
SHA1 d0d0903f73b4aa11ee580fb6fd8d80775e6e88de
SHA256 39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129
SHA512 d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97

memory/2688-18-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/2688-19-0x00000000007F0000-0x0000000000936000-memory.dmp

memory/2688-20-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/2688-21-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/2688-22-0x0000000007380000-0x000000000739A000-memory.dmp

memory/2688-23-0x00000000099D0000-0x00000000099D6000-memory.dmp

memory/4920-24-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-26-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2688-28-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/4920-27-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-29-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-30-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-31-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-32-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-34-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-36-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-37-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-42-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-43-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-45-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-46-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-47-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-52-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-53-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-54-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-55-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-58-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-59-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-60-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-61-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-62-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-63-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-65-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-66-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-67-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-68-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-69-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-72-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-74-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-76-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-77-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-78-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-79-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-80-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-81-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-82-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-83-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-84-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-85-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-86-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-87-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-88-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4920-89-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fujgzlhhsdokrxfmji

MD5 17eece3240d08aa4811cf1007cfe2585
SHA1 6c10329f61455d1c96e041b6f89ee6260af3bd0f
SHA256 7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903
SHA512 a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370