remcos | baac57b1f64f5d6e9eeadc84424db056fe253119f0f1bf4b2f2b55f940bce4ab

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2021 NEW PURCHASE REQUIREMENT.xlsx
Size

1.4MB
MD5

c12a39b32626cd2b4ca80d41ffa7a24c
SHA1

2105a2bc2161e9adfa0d3e087e43a466b9f5df58
SHA256

baac57b1f64f5d6e9eeadc84424db056fe253119f0f1bf4b2f2b55f940bce4ab
SHA512

f9a0ed261feea72e6bc128475db4ae5f239ade26937f1b5a645ad5c8d7face344c8ba3a90fbed5679bcd19207e66a52e2cebd5ed210b82d6590eb10a7486ea22

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1976 EQNEDT32.EXE
Executes dropped EXE 4 IoCs

Processes:

vbc.exevbc.exevlc.exevlc.exe

pid process

1636 vbc.exe
1292 vbc.exe
1124 vlc.exe
1484 vlc.exe
Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEcmd.exe

pid process

1976 EQNEDT32.EXE
1976 EQNEDT32.EXE
1976 EQNEDT32.EXE
1976 EQNEDT32.EXE
1168 cmd.exe
1168 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
7	1976	EQNEDT32.EXE

pid	process
1976	EQNEDT32.EXE
1976	EQNEDT32.EXE
1976	EQNEDT32.EXE
1976	EQNEDT32.EXE
1168	cmd.exe
1168	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vlc.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vlc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

vbc.exevlc.exe

pid	process
1636	vbc.exe
1636	vbc.exe
1636	vbc.exe
1636	vbc.exe
1636	vbc.exe
1636	vbc.exe
1636	vbc.exe
1124	vlc.exe
1124	vlc.exe
1124	vlc.exe
1124	vlc.exe
1124	vlc.exe
1124	vlc.exe
1124	vlc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vbc.exevlc.exe

description pid process target process

PID 1636 set thread context of 1292 1636 vbc.exe vbc.exe
PID 1124 set thread context of 1484 1124 vlc.exe vlc.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2032 timeout.exe
708 timeout.exe
1240 timeout.exe
1700 timeout.exe
1036 timeout.exe
1712 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1976 EQNEDT32.EXE

description	pid	process	target process
PID 1636 set thread context of 1292	1636	vbc.exe	vbc.exe
PID 1124 set thread context of 1484	1124	vlc.exe	vlc.exe

pid	process
2032	timeout.exe
708	timeout.exe
1240	timeout.exe
1700	timeout.exe
1036	timeout.exe
1712	timeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1976	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1424 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

vbc.exevlc.exe

pid process

1636 vbc.exe
1636 vbc.exe
1636 vbc.exe
1124 vlc.exe
1124 vlc.exe
1124 vlc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exevlc.exe

description pid process

Token: SeDebugPrivilege 1636 vbc.exe
Token: SeDebugPrivilege 1124 vlc.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXEvlc.exe

pid process

1424 EXCEL.EXE
1424 EXCEL.EXE
1424 EXCEL.EXE
1484 vlc.exe

pid	process
1424	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1636	vbc.exe
Token: SeDebugPrivilege	1124	vlc.exe

pid	process
1424	EXCEL.EXE
1424	EXCEL.EXE
1424	EXCEL.EXE
1484	vlc.exe

Suspicious use of WriteProcessMemory 86 IoCs

Processes:

EQNEDT32.EXEvbc.execmd.execmd.execmd.exevbc.exeWScript.execmd.exevlc.execmd.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 1636	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1636	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1636	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1636	1976	EQNEDT32.EXE	vbc.exe
PID 1636 wrote to memory of 1952	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 1952	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 1952	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 1952	1636	vbc.exe	cmd.exe
PID 1952 wrote to memory of 708	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 708	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 708	1952	cmd.exe	timeout.exe
PID 1952 wrote to memory of 708	1952	cmd.exe	timeout.exe
PID 1636 wrote to memory of 672	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 672	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 672	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 672	1636	vbc.exe	cmd.exe
PID 672 wrote to memory of 1240	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 1240	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 1240	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 1240	672	cmd.exe	timeout.exe
PID 1636 wrote to memory of 1624	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 1624	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 1624	1636	vbc.exe	cmd.exe
PID 1636 wrote to memory of 1624	1636	vbc.exe	cmd.exe
PID 1624 wrote to memory of 1700	1624	cmd.exe	timeout.exe
PID 1624 wrote to memory of 1700	1624	cmd.exe	timeout.exe
PID 1624 wrote to memory of 1700	1624	cmd.exe	timeout.exe
PID 1624 wrote to memory of 1700	1624	cmd.exe	timeout.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1636 wrote to memory of 1292	1636	vbc.exe	vbc.exe
PID 1292 wrote to memory of 1720	1292	vbc.exe	WScript.exe
PID 1292 wrote to memory of 1720	1292	vbc.exe	WScript.exe
PID 1292 wrote to memory of 1720	1292	vbc.exe	WScript.exe
PID 1292 wrote to memory of 1720	1292	vbc.exe	WScript.exe
PID 1720 wrote to memory of 1168	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 1168	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 1168	1720	WScript.exe	cmd.exe
PID 1720 wrote to memory of 1168	1720	WScript.exe	cmd.exe
PID 1168 wrote to memory of 1124	1168	cmd.exe	vlc.exe
PID 1168 wrote to memory of 1124	1168	cmd.exe	vlc.exe
PID 1168 wrote to memory of 1124	1168	cmd.exe	vlc.exe
PID 1168 wrote to memory of 1124	1168	cmd.exe	vlc.exe
PID 1124 wrote to memory of 1196	1124	vlc.exe	cmd.exe
PID 1124 wrote to memory of 1196	1124	vlc.exe	cmd.exe
PID 1124 wrote to memory of 1196	1124	vlc.exe	cmd.exe
PID 1124 wrote to memory of 1196	1124	vlc.exe	cmd.exe
PID 1196 wrote to memory of 1036	1196	cmd.exe	timeout.exe
PID 1196 wrote to memory of 1036	1196	cmd.exe	timeout.exe
PID 1196 wrote to memory of 1036	1196	cmd.exe	timeout.exe
PID 1196 wrote to memory of 1036	1196	cmd.exe	timeout.exe
PID 1124 wrote to memory of 1768	1124	vlc.exe	cmd.exe
PID 1124 wrote to memory of 1768	1124	vlc.exe	cmd.exe
PID 1124 wrote to memory of 1768	1124	vlc.exe	cmd.exe
PID 1124 wrote to memory of 1768	1124	vlc.exe	cmd.exe
PID 1768 wrote to memory of 1712	1768	cmd.exe	timeout.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\2021 NEW PURCHASE REQUIREMENT.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Public\vbc.exe
  "C:\Users\Public\vbc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:1700
- - C:\Users\Public\vbc.exe
    "C:\Users\Public\vbc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\vlc.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Users\Admin\AppData\Roaming\vlc.exe
        
        C:\Users\Admin\AppData\Roaming\vlc.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        Delays execution with timeout.exe
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        Delays execution with timeout.exe
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        7⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        Delays execution with timeout.exe
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\vlc.exe
        
        "C:\Users\Admin\AppData\Roaming\vlc.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
0fd303b21c1a43c6a9078e6f5280ca85

SHA1
0db8f1ae34f4e2e72184e337951fde826c0bd26f

SHA256
5d8c6cfdf8fc198c4fd279487e5c1620ece89e39781c6337f4cb5e111e606ddc

SHA512
be4cdd48940bead0274c7cf08abd9bc75b5db468159cbf883198712d0bb15ad81a069638c628eba62237cfa0a197f845c0d9e1f4727c9608a8d642f7aba38671

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
C:\Users\Public\vbc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
C:\Users\Public\vbc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
C:\Users\Public\vbc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
\Users\Public\vbc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
\Users\Public\vbc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
\Users\Public\vbc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
\Users\Public\vbc.exe

MD5
75288df36386c8ce9ad16ff78d6cf3ca

SHA1
3f8553a2bfeac57bb76cb4e2050d3aa7fa0a111a

SHA256
86c9b8f7003a77106c1746a855da645783d6ed30fffa45350554ab2edd0e1290

SHA512
7701c1630fa0c19afb98321dc9af635e64080dcbefb356f95051165e84dd27405a919a8ae77e5d38a568a7ce24b9977cd61c45920315c82a73b760080704b0f6

Download Submit
memory/672-16-0x0000000000000000-mapping.dmp

Download
memory/708-15-0x0000000000000000-mapping.dmp

Download
memory/1036-39-0x0000000000000000-mapping.dmp

Download
memory/1124-34-0x000000006B6D0000-0x000000006BDBE000-memory.dmp

Filesize
6.9MB

Download
memory/1124-32-0x0000000000000000-mapping.dmp

Download
memory/1124-35-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1168-27-0x0000000000000000-mapping.dmp

Download
memory/1196-38-0x0000000000000000-mapping.dmp

Download
memory/1240-17-0x0000000000000000-mapping.dmp

Download
memory/1292-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1292-21-0x0000000000413FA4-mapping.dmp

Download
memory/1292-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1484-45-0x0000000000413FA4-mapping.dmp

Download
memory/1484-47-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1608-42-0x0000000000000000-mapping.dmp

Download
memory/1624-18-0x0000000000000000-mapping.dmp

Download
memory/1636-13-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1636-11-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/1636-10-0x000000006BDC0000-0x000000006C4AE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-7-0x0000000000000000-mapping.dmp

Download
memory/1700-19-0x0000000000000000-mapping.dmp

Download
memory/1712-41-0x0000000000000000-mapping.dmp

Download
memory/1720-25-0x0000000000000000-mapping.dmp

Download
memory/1720-28-0x0000000002690000-0x0000000002694000-memory.dmp

Filesize
16KB

Download
memory/1732-2-0x000007FEF61D0000-0x000007FEF644A000-memory.dmp

Filesize
2.5MB

Download
memory/1768-40-0x0000000000000000-mapping.dmp

Download
memory/1952-14-0x0000000000000000-mapping.dmp

Download
memory/2032-43-0x0000000000000000-mapping.dmp

Download