Malware Analysis Report

2025-08-11 05:04

Sample ID 241230-cpejnavlan
Target 4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe
SHA256 4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5
Tags
remcos rmc_fri discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5

Threat Level: Known bad

The file 4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe was found to be: Known bad.

Malicious Activity Summary

remcos rmc_fri discovery rat

Remcos family

Remcos

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Enumerates processes with tasklist

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:14

Reported

2024-12-30 02:17

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\extrac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 2736 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 2736 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 2736 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 2736 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2736 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com
PID 2736 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com
PID 2736 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com
PID 2736 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com
PID 2736 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2736 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2640 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe

"C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Leather Leather.cmd & Leather.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "opssvc wrsa"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 13728

C:\Windows\SysWOW64\extrac32.exe

extrac32 /Y /E Islands

C:\Windows\SysWOW64\findstr.exe

findstr /V "teach" Ventures

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Statement + ..\Inherited + ..\Yu + ..\Handbook + ..\Contests + ..\Socket + ..\Clerk + ..\Emphasis + ..\Desert + ..\Gzip L

C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com

Supposed.com L

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "FinView" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FinTech Visionary Solutions\FinView.js'" /sc onlogon /F /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 HnCLsOLukMwgJkxByfx.HnCLsOLukMwgJkxByfx udp
BG 101.99.94.64:2404 tcp
BG 101.99.94.64:80 tcp
BG 101.99.94.64:8080 tcp
BG 101.99.94.64:465 tcp
BG 101.99.94.64:50000 tcp
BG 101.99.94.64:2404 tcp
BG 101.99.94.64:80 tcp
BG 101.99.94.64:8080 tcp
BG 101.99.94.64:465 tcp
BG 101.99.94.64:50000 tcp
BG 101.99.94.64:2404 tcp
BG 101.99.94.64:80 tcp
BG 101.99.94.64:8080 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Leather

MD5 41a9a63393c651bc508204b3422a8be0
SHA1 227bad4fb387c3fe65572b3cc3a4ea44681e4fd4
SHA256 45a666c1e2d89cb67dbd26bafd12ce83e7102a297e1489ef928675f9bc572e6d
SHA512 fff1c16441e39442b490bf54e5f59b979f54ec2636cd736f0e9299ab6198743d9d8ea8d511124ce59feb43c94a077c5f8cc54d94f8b5bb3912ccf9a4e02bc971

C:\Users\Admin\AppData\Local\Temp\Islands

MD5 6064f38cec772696803c832d698bbdfd
SHA1 10be14ac4d14dcba13864270bb7d4f5b37a34821
SHA256 df48e4cda40c0a5382ea649f6a357d1c9c902005cfb2a6def62e19f6de99dc2d
SHA512 4b0088248be89b6be45e5af4bb7a4af87d5771c66392191d38acbfb17a8dffebed5f597488d875ed5bd2095cc283f999a69bde17f47be8b5b0908f79818b8ba8

C:\Users\Admin\AppData\Local\Temp\Ventures

MD5 f1cc3f9960ab371fe3d7f26beecc7ca7
SHA1 e9ad207a52c78ed8a58d58b56b69121540f792a1
SHA256 f96237fcb384ea10ada3ed909f5aec43a330d8e7ea1a7f4c5c7744c753d0bd73
SHA512 03bbb0f402f075896727859ebd2f523e1afa29efcd17cf30ae2954679344c6503123e71028208cf25709f53cd22697842d05effbafc7f270026c7ed8af475701

C:\Users\Admin\AppData\Local\Temp\Era

MD5 bcca6d9a41f2fc3dbb70d8a7ee74ed20
SHA1 6d9d5095bafc69dec15a93f82614cce7d8ddc5ff
SHA256 3630c0ccadbd98290cccb145695b44d045ad0afca19f93792a53aef304a2b00c
SHA512 b8298d710d70cb076eb5d2c65a132104e66f7dfc62081bc90ff5c70277703a01cc089c4182fb8dee6979eb705509089ef6a5eba012cf804b3f23bfbefb1c6e91

C:\Users\Admin\AppData\Local\Temp\Strand

MD5 735ffcca9807233aff339f8a6463ad1e
SHA1 da11b2a43a52d3a1c6e9fc0843df0de180d83725
SHA256 8c6ce627044432ce0e431f6818c137833d18688819f03fc4adc8447b8aa980bd
SHA512 f65ce15a1aff036953cb1b53dbea3de23dae8231cb24d0fdcf2d2d13595954488f34b713cecc10e3cb7b30ada743d4cc3315e9f011bd265fa4cd1e5400375bde

C:\Users\Admin\AppData\Local\Temp\Structural

MD5 905441403203b441e8a45aa48f19287b
SHA1 26c97b2055227de96ed97336cc21332efa935c89
SHA256 4dd82c681b0cc67fcdbfa53457673581f970eab35bfec92404e3913b0d436bfa
SHA512 b2c4bcdf1bb373e18c4801f56e0e24c5a7a2997d5ee425838da36bc0a7e03c144eaa700e6f7d3f3be62ad982dc9d386a4dfdf1f1d486f2a6ec23196496ad6d82

C:\Users\Admin\AppData\Local\Temp\Distribution

MD5 ea6f9be88305980cf7d4e803081ce7c1
SHA1 8a15c339d5cb8a8951dcb80068489c1408e73b10
SHA256 095d4d26eaa30a7289cfdea6b304fb2e1ad6ef2aa7ddb203ab55f390706991ab
SHA512 b3997bf6b5ede358bb6031d0fc4a036e88414744b2391a670b4dbd0212f9375f519141bd9e6ff7af6d9b0b6fb9f3cdd924511333a10927320035201bf29dd116

C:\Users\Admin\AppData\Local\Temp\Suspension

MD5 e02abcf3970f383aeadfcb8c2347c4bb
SHA1 a1d112b7a9f8e234d6f28c111d639a97e3ef4390
SHA256 2a640492be5df8cb312992ee23d80afb4e32c9ef7fc5f830ee089210a41b0608
SHA512 bf71b407f3a52e2f26f3480b246c780bc3a53cbfea15b465ea0a30f28ac7f1b44503ffb7f059e8ddd52e3b6fa57c674a616e8537f34c186f87cfb7719da4dce1

C:\Users\Admin\AppData\Local\Temp\Cal

MD5 ec66cd426d99cba80dba356a71bab3e9
SHA1 7a27ad5828edb1dd7c60a342de3a764b54b31099
SHA256 0f6e289f404aa4979a3d8233586cd33931d8575cde5ba2b0aa7b0cb8c71bef72
SHA512 6b1a0f06dc42a8d42b8781aca7e1afb902661799d27b32e26d3fbc7040eb3712ed76f2e71ceafc16711a3beaec64cfab37f964ff8f23595e8cbca5ad27baf2a0

C:\Users\Admin\AppData\Local\Temp\Everything

MD5 f70929aac338a54dae96918705bebd54
SHA1 1023545f1d292be7fa5cadddc324442c27685668
SHA256 0f31b9b54ad3dc4abec6a6ca81ba4e8d06d9ce5cb7cc524ac4721e2e92040079
SHA512 4d78cfb80a5c0b4f62fbe4b9afc2d14ae94ecd23391aad0d1e022b61d7952c02a5d13c72342a2404b41407f74afd5e8ca04ea0bb6671f7dd04b3ae1e22c0a4d5

C:\Users\Admin\AppData\Local\Temp\Induced

MD5 5c71cf6bf6dd0dd68cdda92ca0c9d917
SHA1 380a2ae1194350327cf83ca869250b64b5a6400f
SHA256 980957812bfd0e3bc5a3a1ad8dca9d8e844aaf31aa0d66fad376a90175c5df7d
SHA512 cf0db7281bb07897c750d1bded782e3cfe5eadd94ffd0415bdc89ac83c6dff32b4453f805b084f75db56ac319ecaa733939bf1255e6c09899db5c70d1ae36649

C:\Users\Admin\AppData\Local\Temp\Statement

MD5 064ed87f5b0e77a0cb8f11b44fb64782
SHA1 aac79fc8698d1b65867937b44c9ceba9f652d6b4
SHA256 396a1e80f368dba73b30d64e87135a33937cdca899528588d5af26fb52811aba
SHA512 4503993d97014d11b32c54f8c30fdf981291d1206cefcae01217e239d3c816c6d13aa28c1d3a5291f5de99e8f5989036bbbb08c23b236ac45e391a88f2e37889

C:\Users\Admin\AppData\Local\Temp\Inherited

MD5 3778215c0689810d2d6390071da105a7
SHA1 2d38fef5aa8e4ec10b2aea0abe9438c96e7f7531
SHA256 0f42663ba69d0383a9668c791178a18960c25f876f3b10e90d6e6a2acbce7326
SHA512 6aeb355b339ad0a431c5132e185621ef1a34da69a700c0ee50f42981af1691d3ac52f514c46f89618ef86b0a368f755ac30d80babee1ff828fbcd1eb4a93bd5c

C:\Users\Admin\AppData\Local\Temp\Yu

MD5 ead75dceff1cb76a4cbfd86b802ebcf4
SHA1 d5337a18bdfeaf39e3ec6bf64782a6e65597c55a
SHA256 17ecb803a2fd1dc24164db5eac973579278448c1b5547181f229ce1b2926361b
SHA512 210fcaf683d157adf45d9145643a5fae163f3ed0f85d133f52abb42e6be7abefbf9df3c18aa574f9de93784adb929bd778d0714e3fd095f4fbcab034d16fbbae

C:\Users\Admin\AppData\Local\Temp\Handbook

MD5 ef20f0a636403f36da61210b100e542f
SHA1 5a5f77f431179cd8316e84c5f5b04c1d3c44e861
SHA256 fa10aca6fa02c5d4853884736cc5c5b533418c64f21386480d416c39673d993e
SHA512 41c090c5aa1482ff25e909da634360bde4004201379115240f544332b974144a080e5a31735c57358f001b8eb551fd6c28022690efdaba38e6942c027817891f

C:\Users\Admin\AppData\Local\Temp\Contests

MD5 7c8639d59298925dbb44af313c2e6063
SHA1 3e51d8ee019082bfa755c838cb8da490dc18fe7b
SHA256 7a50aef0f70a5059e150bc55333f43c5ad1d74caf97f59a0e440d72dbda8921d
SHA512 2dfb434221b0444978598427a45b187bb58b06dc2ca343a0ce78621447e8ff2bb531ee0e9253eb147d1037b5da6a203688b80061e3cb8f9a1c4c6a1efc4713a6

C:\Users\Admin\AppData\Local\Temp\Socket

MD5 780a75442f17fc441590e8075a4096e7
SHA1 a1a53f71572b8ebf95cf970e069458ed8edeab9a
SHA256 0298a67073b64e028c0c7a264c24d0cb473685e8b71b5dd0f82b13592fdfcda1
SHA512 88f0e63ebe66cf729c1a14acfcf554645bbc07b4530f0a3cd0eaa064da6fd6780977b197478974ca5d4683ab49e29e0c2fcad9366688c5cefa4383130ea0eeff

C:\Users\Admin\AppData\Local\Temp\Clerk

MD5 eec769daa4d8b3b702b66b3bb00b57a6
SHA1 6ebc9a1d4bf0fb954677c319ce561e8a1fd61056
SHA256 0a57e1a0cc5c318846d19bcba4bf2aeaa13230d15478160431ff81751ea6975f
SHA512 7a53c6e81cafb74e0d67925767f12fb973aac7cde6b21033bf99efc8ae2144c262f40af9b59479aa7e272b937be407b8c20269fd81414ba9a692644c555a45ba

C:\Users\Admin\AppData\Local\Temp\Emphasis

MD5 78d8249784c1eeeb298e897e0edb2ce9
SHA1 09a1999941b67a86bca8c5d9df654980e1ece4ab
SHA256 ec7f1a6066f8d15dfafa46d3dfe9ec1fa8f1a16be375616504e386df1201c0f0
SHA512 8e41c94550ee31869f01c995b11660aac2abac01dfe1125190aa2568b733c3ac1ebce80a22c19bf384c0589fb0bff36d926a2b11d01c73b6e1f126c70c7113a9

C:\Users\Admin\AppData\Local\Temp\Desert

MD5 c834c69832c0cac49301b5d8a78c1672
SHA1 23e5d46108a1481b8ed0acb7edaf3ff2ef659a72
SHA256 f9b959cc49a3df0da6a197d5e74958052bb2bdf69603e376019cd6da6d6fb623
SHA512 507aa570412d2a1774fe176df7ec799528d1f791fdb1e92fb70e5945916c173d3b08cbae80f21b62570b07b1fc76ba70bba9862d4a48cc8d51c3d288dcaa34b6

C:\Users\Admin\AppData\Local\Temp\Gzip

MD5 708a05da814a21987be83f2f01b6d6fa
SHA1 c3fb5f379dfb95933671cb4095424d8e3334d9a5
SHA256 3cb2cb525938792c281b10dd7efc896427fa32c893d8691fa5d21e3cf54cc380
SHA512 594c2abbfbb5276075e78ef0049c1625f74441330aa280d6b3d760b2c387863a8d4ed42819018ee0b528794530d36b345cfaae10a1c34297fa666f4f77cd9c38

\Users\Admin\AppData\Local\Temp\13728\Supposed.com

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Temp\13728\L

MD5 3816adc3cfdfb1f64ed972f265dd4549
SHA1 c842cbe12caa9ad768f08fab53d4984826e1c082
SHA256 61bb7562e5ff5b209facd2eb7ebc49475e9901a75b29b9d0e7104c1734eba140
SHA512 06a14ff4a384f6a3d223521df57819ced21b3308f8aa469c32d72c610f39269d9734c31709c821e2d1800f7910f1ebc922f161d0128a9e5343b8c7172e915100

memory/2640-75-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-74-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-76-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-78-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-77-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-79-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-80-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-83-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-84-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-86-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-90-0x0000000003520000-0x000000000359F000-memory.dmp

C:\ProgramData\rmc\logs.dat

MD5 eb24118e5963c3388da86ef7fd875a7a
SHA1 7d005288afe95ce962f5c5b2692f564898f4ef63
SHA256 b232c12af0d36c1f7d29db6f7d7c402a263b479787cb7c8151095d1580968e4c
SHA512 ecdc32445ca3257ba3321a594090593bf20ff0f159ae568608a35b984e8c4d43091aed634c0a3520d7b1c677aaf50cd3d4bc0225b11f0611afa8c0937a463941

memory/2640-94-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-98-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-102-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-103-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-106-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-110-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-114-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-118-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-122-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-123-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-126-0x0000000003520000-0x000000000359F000-memory.dmp

memory/2640-131-0x0000000003520000-0x000000000359F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:14

Reported

2024-12-30 02:17

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\extrac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4468 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4468 wrote to memory of 3228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4468 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4468 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4468 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4468 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 4468 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 4468 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 4468 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4468 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com
PID 4468 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com
PID 4468 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com
PID 4468 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4468 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4468 wrote to memory of 3316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1796 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com C:\Windows\SysWOW64\schtasks.exe
PID 1796 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com C:\Windows\SysWOW64\schtasks.exe
PID 1796 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe

"C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Leather Leather.cmd & Leather.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "opssvc wrsa"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 13728

C:\Windows\SysWOW64\extrac32.exe

extrac32 /Y /E Islands

C:\Windows\SysWOW64\findstr.exe

findstr /V "teach" Ventures

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Statement + ..\Inherited + ..\Yu + ..\Handbook + ..\Contests + ..\Socket + ..\Clerk + ..\Emphasis + ..\Desert + ..\Gzip L

C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com

Supposed.com L

C:\Windows\SysWOW64\choice.exe

choice /d y /t 15

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "FinView" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FinTech Visionary Solutions\FinView.js'" /sc onlogon /F /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 HnCLsOLukMwgJkxByfx.HnCLsOLukMwgJkxByfx udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
BG 101.99.94.64:2404 tcp
US 8.8.8.8:53 64.94.99.101.in-addr.arpa udp
BG 101.99.94.64:80 tcp
BG 101.99.94.64:8080 tcp
BG 101.99.94.64:465 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 101.99.94.64:50000 tcp
BG 101.99.94.64:2404 tcp
BG 101.99.94.64:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BG 101.99.94.64:8080 tcp
BG 101.99.94.64:465 tcp
BG 101.99.94.64:50000 tcp
BG 101.99.94.64:2404 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Leather

MD5 41a9a63393c651bc508204b3422a8be0
SHA1 227bad4fb387c3fe65572b3cc3a4ea44681e4fd4
SHA256 45a666c1e2d89cb67dbd26bafd12ce83e7102a297e1489ef928675f9bc572e6d
SHA512 fff1c16441e39442b490bf54e5f59b979f54ec2636cd736f0e9299ab6198743d9d8ea8d511124ce59feb43c94a077c5f8cc54d94f8b5bb3912ccf9a4e02bc971

C:\Users\Admin\AppData\Local\Temp\Islands

MD5 6064f38cec772696803c832d698bbdfd
SHA1 10be14ac4d14dcba13864270bb7d4f5b37a34821
SHA256 df48e4cda40c0a5382ea649f6a357d1c9c902005cfb2a6def62e19f6de99dc2d
SHA512 4b0088248be89b6be45e5af4bb7a4af87d5771c66392191d38acbfb17a8dffebed5f597488d875ed5bd2095cc283f999a69bde17f47be8b5b0908f79818b8ba8

C:\Users\Admin\AppData\Local\Temp\Ventures

MD5 f1cc3f9960ab371fe3d7f26beecc7ca7
SHA1 e9ad207a52c78ed8a58d58b56b69121540f792a1
SHA256 f96237fcb384ea10ada3ed909f5aec43a330d8e7ea1a7f4c5c7744c753d0bd73
SHA512 03bbb0f402f075896727859ebd2f523e1afa29efcd17cf30ae2954679344c6503123e71028208cf25709f53cd22697842d05effbafc7f270026c7ed8af475701

C:\Users\Admin\AppData\Local\Temp\Era

MD5 bcca6d9a41f2fc3dbb70d8a7ee74ed20
SHA1 6d9d5095bafc69dec15a93f82614cce7d8ddc5ff
SHA256 3630c0ccadbd98290cccb145695b44d045ad0afca19f93792a53aef304a2b00c
SHA512 b8298d710d70cb076eb5d2c65a132104e66f7dfc62081bc90ff5c70277703a01cc089c4182fb8dee6979eb705509089ef6a5eba012cf804b3f23bfbefb1c6e91

C:\Users\Admin\AppData\Local\Temp\Strand

MD5 735ffcca9807233aff339f8a6463ad1e
SHA1 da11b2a43a52d3a1c6e9fc0843df0de180d83725
SHA256 8c6ce627044432ce0e431f6818c137833d18688819f03fc4adc8447b8aa980bd
SHA512 f65ce15a1aff036953cb1b53dbea3de23dae8231cb24d0fdcf2d2d13595954488f34b713cecc10e3cb7b30ada743d4cc3315e9f011bd265fa4cd1e5400375bde

C:\Users\Admin\AppData\Local\Temp\Structural

MD5 905441403203b441e8a45aa48f19287b
SHA1 26c97b2055227de96ed97336cc21332efa935c89
SHA256 4dd82c681b0cc67fcdbfa53457673581f970eab35bfec92404e3913b0d436bfa
SHA512 b2c4bcdf1bb373e18c4801f56e0e24c5a7a2997d5ee425838da36bc0a7e03c144eaa700e6f7d3f3be62ad982dc9d386a4dfdf1f1d486f2a6ec23196496ad6d82

C:\Users\Admin\AppData\Local\Temp\Distribution

MD5 ea6f9be88305980cf7d4e803081ce7c1
SHA1 8a15c339d5cb8a8951dcb80068489c1408e73b10
SHA256 095d4d26eaa30a7289cfdea6b304fb2e1ad6ef2aa7ddb203ab55f390706991ab
SHA512 b3997bf6b5ede358bb6031d0fc4a036e88414744b2391a670b4dbd0212f9375f519141bd9e6ff7af6d9b0b6fb9f3cdd924511333a10927320035201bf29dd116

C:\Users\Admin\AppData\Local\Temp\Suspension

MD5 e02abcf3970f383aeadfcb8c2347c4bb
SHA1 a1d112b7a9f8e234d6f28c111d639a97e3ef4390
SHA256 2a640492be5df8cb312992ee23d80afb4e32c9ef7fc5f830ee089210a41b0608
SHA512 bf71b407f3a52e2f26f3480b246c780bc3a53cbfea15b465ea0a30f28ac7f1b44503ffb7f059e8ddd52e3b6fa57c674a616e8537f34c186f87cfb7719da4dce1

C:\Users\Admin\AppData\Local\Temp\Cal

MD5 ec66cd426d99cba80dba356a71bab3e9
SHA1 7a27ad5828edb1dd7c60a342de3a764b54b31099
SHA256 0f6e289f404aa4979a3d8233586cd33931d8575cde5ba2b0aa7b0cb8c71bef72
SHA512 6b1a0f06dc42a8d42b8781aca7e1afb902661799d27b32e26d3fbc7040eb3712ed76f2e71ceafc16711a3beaec64cfab37f964ff8f23595e8cbca5ad27baf2a0

C:\Users\Admin\AppData\Local\Temp\Everything

MD5 f70929aac338a54dae96918705bebd54
SHA1 1023545f1d292be7fa5cadddc324442c27685668
SHA256 0f31b9b54ad3dc4abec6a6ca81ba4e8d06d9ce5cb7cc524ac4721e2e92040079
SHA512 4d78cfb80a5c0b4f62fbe4b9afc2d14ae94ecd23391aad0d1e022b61d7952c02a5d13c72342a2404b41407f74afd5e8ca04ea0bb6671f7dd04b3ae1e22c0a4d5

C:\Users\Admin\AppData\Local\Temp\Induced

MD5 5c71cf6bf6dd0dd68cdda92ca0c9d917
SHA1 380a2ae1194350327cf83ca869250b64b5a6400f
SHA256 980957812bfd0e3bc5a3a1ad8dca9d8e844aaf31aa0d66fad376a90175c5df7d
SHA512 cf0db7281bb07897c750d1bded782e3cfe5eadd94ffd0415bdc89ac83c6dff32b4453f805b084f75db56ac319ecaa733939bf1255e6c09899db5c70d1ae36649

C:\Users\Admin\AppData\Local\Temp\Statement

MD5 064ed87f5b0e77a0cb8f11b44fb64782
SHA1 aac79fc8698d1b65867937b44c9ceba9f652d6b4
SHA256 396a1e80f368dba73b30d64e87135a33937cdca899528588d5af26fb52811aba
SHA512 4503993d97014d11b32c54f8c30fdf981291d1206cefcae01217e239d3c816c6d13aa28c1d3a5291f5de99e8f5989036bbbb08c23b236ac45e391a88f2e37889

C:\Users\Admin\AppData\Local\Temp\Inherited

MD5 3778215c0689810d2d6390071da105a7
SHA1 2d38fef5aa8e4ec10b2aea0abe9438c96e7f7531
SHA256 0f42663ba69d0383a9668c791178a18960c25f876f3b10e90d6e6a2acbce7326
SHA512 6aeb355b339ad0a431c5132e185621ef1a34da69a700c0ee50f42981af1691d3ac52f514c46f89618ef86b0a368f755ac30d80babee1ff828fbcd1eb4a93bd5c

C:\Users\Admin\AppData\Local\Temp\Yu

MD5 ead75dceff1cb76a4cbfd86b802ebcf4
SHA1 d5337a18bdfeaf39e3ec6bf64782a6e65597c55a
SHA256 17ecb803a2fd1dc24164db5eac973579278448c1b5547181f229ce1b2926361b
SHA512 210fcaf683d157adf45d9145643a5fae163f3ed0f85d133f52abb42e6be7abefbf9df3c18aa574f9de93784adb929bd778d0714e3fd095f4fbcab034d16fbbae

C:\Users\Admin\AppData\Local\Temp\Handbook

MD5 ef20f0a636403f36da61210b100e542f
SHA1 5a5f77f431179cd8316e84c5f5b04c1d3c44e861
SHA256 fa10aca6fa02c5d4853884736cc5c5b533418c64f21386480d416c39673d993e
SHA512 41c090c5aa1482ff25e909da634360bde4004201379115240f544332b974144a080e5a31735c57358f001b8eb551fd6c28022690efdaba38e6942c027817891f

C:\Users\Admin\AppData\Local\Temp\Contests

MD5 7c8639d59298925dbb44af313c2e6063
SHA1 3e51d8ee019082bfa755c838cb8da490dc18fe7b
SHA256 7a50aef0f70a5059e150bc55333f43c5ad1d74caf97f59a0e440d72dbda8921d
SHA512 2dfb434221b0444978598427a45b187bb58b06dc2ca343a0ce78621447e8ff2bb531ee0e9253eb147d1037b5da6a203688b80061e3cb8f9a1c4c6a1efc4713a6

C:\Users\Admin\AppData\Local\Temp\Socket

MD5 780a75442f17fc441590e8075a4096e7
SHA1 a1a53f71572b8ebf95cf970e069458ed8edeab9a
SHA256 0298a67073b64e028c0c7a264c24d0cb473685e8b71b5dd0f82b13592fdfcda1
SHA512 88f0e63ebe66cf729c1a14acfcf554645bbc07b4530f0a3cd0eaa064da6fd6780977b197478974ca5d4683ab49e29e0c2fcad9366688c5cefa4383130ea0eeff

C:\Users\Admin\AppData\Local\Temp\Desert

MD5 c834c69832c0cac49301b5d8a78c1672
SHA1 23e5d46108a1481b8ed0acb7edaf3ff2ef659a72
SHA256 f9b959cc49a3df0da6a197d5e74958052bb2bdf69603e376019cd6da6d6fb623
SHA512 507aa570412d2a1774fe176df7ec799528d1f791fdb1e92fb70e5945916c173d3b08cbae80f21b62570b07b1fc76ba70bba9862d4a48cc8d51c3d288dcaa34b6

C:\Users\Admin\AppData\Local\Temp\Emphasis

MD5 78d8249784c1eeeb298e897e0edb2ce9
SHA1 09a1999941b67a86bca8c5d9df654980e1ece4ab
SHA256 ec7f1a6066f8d15dfafa46d3dfe9ec1fa8f1a16be375616504e386df1201c0f0
SHA512 8e41c94550ee31869f01c995b11660aac2abac01dfe1125190aa2568b733c3ac1ebce80a22c19bf384c0589fb0bff36d926a2b11d01c73b6e1f126c70c7113a9

C:\Users\Admin\AppData\Local\Temp\Clerk

MD5 eec769daa4d8b3b702b66b3bb00b57a6
SHA1 6ebc9a1d4bf0fb954677c319ce561e8a1fd61056
SHA256 0a57e1a0cc5c318846d19bcba4bf2aeaa13230d15478160431ff81751ea6975f
SHA512 7a53c6e81cafb74e0d67925767f12fb973aac7cde6b21033bf99efc8ae2144c262f40af9b59479aa7e272b937be407b8c20269fd81414ba9a692644c555a45ba

C:\Users\Admin\AppData\Local\Temp\Gzip

MD5 708a05da814a21987be83f2f01b6d6fa
SHA1 c3fb5f379dfb95933671cb4095424d8e3334d9a5
SHA256 3cb2cb525938792c281b10dd7efc896427fa32c893d8691fa5d21e3cf54cc380
SHA512 594c2abbfbb5276075e78ef0049c1625f74441330aa280d6b3d760b2c387863a8d4ed42819018ee0b528794530d36b345cfaae10a1c34297fa666f4f77cd9c38

C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Temp\13728\L

MD5 3816adc3cfdfb1f64ed972f265dd4549
SHA1 c842cbe12caa9ad768f08fab53d4984826e1c082
SHA256 61bb7562e5ff5b209facd2eb7ebc49475e9901a75b29b9d0e7104c1734eba140
SHA512 06a14ff4a384f6a3d223521df57819ced21b3308f8aa469c32d72c610f39269d9734c31709c821e2d1800f7910f1ebc922f161d0128a9e5343b8c7172e915100

memory/1796-73-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-72-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-74-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-76-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-77-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-75-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-78-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-81-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-82-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-84-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-88-0x0000000000610000-0x000000000068F000-memory.dmp

C:\ProgramData\rmc\logs.dat

MD5 ead5e231fd9cbf49494fea986ea3526a
SHA1 47dbd092fd7d401d9c76bf3a80e4b6e040e0caa3
SHA256 99aa1e850204582b860aef936cf359cead920e47d36da61d67781225e743ec64
SHA512 53e5d8a28f29d5af1ad341a0860ac0b1e645811443c7dba63afdfa031602504e81ee34d1789200c0c43e5bfd7f527a72c68add9bbd461f0e50bd92ce85648ae5

memory/1796-92-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-96-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-100-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-101-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-104-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-109-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-112-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-116-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-120-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1796-121-0x0000000000610000-0x000000000068F000-memory.dmp