remcos | f6b2823f8e862aa77bf54a5820334fec3e82a666881bbdf2f8a970a52b1adaba

Analysis

max time kernel
70s
max time network
43s
platform
windows7_x64
resource
win7v20201028
submitted
18-01-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LC-0042002210001102.xlsx
Size

2.3MB
MD5

f70ff866a39148173a933bc17f45ecbc
SHA1

150eb890094dda5751ef87c6980743ca14e7eb83
SHA256

f6b2823f8e862aa77bf54a5820334fec3e82a666881bbdf2f8a970a52b1adaba
SHA512

417289944826ab4f178638e2ca7e004c4e31c530568dcc39c2b8e8c5acbd298a67584948974ae719c84ad770a238ff0fadd9d126c702c036d530adb5fa761b73

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

push4me.freeddns.org:1814

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1180 EQNEDT32.EXE

flow	pid	process
7	1180	EQNEDT32.EXE

Executes dropped EXE 21 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid	process
304	vbc.exe
988	vbc.exe
1832	vbc.exe
1576	vbc.exe
1672	vbc.exe
1708	vbc.exe
1564	vbc.exe
1716	vbc.exe
712	vbc.exe
1068	vbc.exe
920	vbc.exe
592	vbc.exe
1204	vbc.exe
1828	vbc.exe
436	vbc.exe
1680	vbc.exe
1664	vbc.exe
300	vbc.exe
1984	vbc.exe
1564	vbc.exe
1252	vbc.exe

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1180 EQNEDT32.EXE
1180 EQNEDT32.EXE
1180 EQNEDT32.EXE
1180 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1180	EQNEDT32.EXE
1180	EQNEDT32.EXE
1180	EQNEDT32.EXE
1180	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtemcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\eremcos\\VLC.exe\""	vbc.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1180 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1180	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

740 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

740 EXCEL.EXE
740 EXCEL.EXE
740 EXCEL.EXE

pid	process
740	EXCEL.EXE

pid	process
740	EXCEL.EXE
740	EXCEL.EXE
740	EXCEL.EXE

Suspicious use of WriteProcessMemory 92 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 1180 wrote to memory of 304	1180	EQNEDT32.EXE	vbc.exe
PID 1180 wrote to memory of 304	1180	EQNEDT32.EXE	vbc.exe
PID 1180 wrote to memory of 304	1180	EQNEDT32.EXE	vbc.exe
PID 1180 wrote to memory of 304	1180	EQNEDT32.EXE	vbc.exe
PID 304 wrote to memory of 988	304	vbc.exe	vbc.exe
PID 304 wrote to memory of 988	304	vbc.exe	vbc.exe
PID 304 wrote to memory of 988	304	vbc.exe	vbc.exe
PID 304 wrote to memory of 988	304	vbc.exe	vbc.exe
PID 988 wrote to memory of 1832	988	vbc.exe	vbc.exe
PID 988 wrote to memory of 1832	988	vbc.exe	vbc.exe
PID 988 wrote to memory of 1832	988	vbc.exe	vbc.exe
PID 988 wrote to memory of 1832	988	vbc.exe	vbc.exe
PID 1832 wrote to memory of 1576	1832	vbc.exe	vbc.exe
PID 1832 wrote to memory of 1576	1832	vbc.exe	vbc.exe
PID 1832 wrote to memory of 1576	1832	vbc.exe	vbc.exe
PID 1832 wrote to memory of 1576	1832	vbc.exe	vbc.exe
PID 1576 wrote to memory of 1672	1576	vbc.exe	vbc.exe
PID 1576 wrote to memory of 1672	1576	vbc.exe	vbc.exe
PID 1576 wrote to memory of 1672	1576	vbc.exe	vbc.exe
PID 1576 wrote to memory of 1672	1576	vbc.exe	vbc.exe
PID 1672 wrote to memory of 1708	1672	vbc.exe	vbc.exe
PID 1672 wrote to memory of 1708	1672	vbc.exe	vbc.exe
PID 1672 wrote to memory of 1708	1672	vbc.exe	vbc.exe
PID 1672 wrote to memory of 1708	1672	vbc.exe	vbc.exe
PID 1708 wrote to memory of 1564	1708	vbc.exe	vbc.exe
PID 1708 wrote to memory of 1564	1708	vbc.exe	vbc.exe
PID 1708 wrote to memory of 1564	1708	vbc.exe	vbc.exe
PID 1708 wrote to memory of 1564	1708	vbc.exe	vbc.exe
PID 1564 wrote to memory of 1716	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 1716	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 1716	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 1716	1564	vbc.exe	vbc.exe
PID 1716 wrote to memory of 712	1716	vbc.exe	vbc.exe
PID 1716 wrote to memory of 712	1716	vbc.exe	vbc.exe
PID 1716 wrote to memory of 712	1716	vbc.exe	vbc.exe
PID 1716 wrote to memory of 712	1716	vbc.exe	vbc.exe
PID 712 wrote to memory of 1068	712	vbc.exe	vbc.exe
PID 712 wrote to memory of 1068	712	vbc.exe	vbc.exe
PID 712 wrote to memory of 1068	712	vbc.exe	vbc.exe
PID 712 wrote to memory of 1068	712	vbc.exe	vbc.exe
PID 1068 wrote to memory of 920	1068	vbc.exe	vbc.exe
PID 1068 wrote to memory of 920	1068	vbc.exe	vbc.exe
PID 1068 wrote to memory of 920	1068	vbc.exe	vbc.exe
PID 1068 wrote to memory of 920	1068	vbc.exe	vbc.exe
PID 920 wrote to memory of 592	920	vbc.exe	vbc.exe
PID 920 wrote to memory of 592	920	vbc.exe	vbc.exe
PID 920 wrote to memory of 592	920	vbc.exe	vbc.exe
PID 920 wrote to memory of 592	920	vbc.exe	vbc.exe
PID 592 wrote to memory of 1204	592	vbc.exe	vbc.exe
PID 592 wrote to memory of 1204	592	vbc.exe	vbc.exe
PID 592 wrote to memory of 1204	592	vbc.exe	vbc.exe
PID 592 wrote to memory of 1204	592	vbc.exe	vbc.exe
PID 1204 wrote to memory of 1828	1204	vbc.exe	vbc.exe
PID 1204 wrote to memory of 1828	1204	vbc.exe	vbc.exe
PID 1204 wrote to memory of 1828	1204	vbc.exe	vbc.exe
PID 1204 wrote to memory of 1828	1204	vbc.exe	vbc.exe
PID 1828 wrote to memory of 436	1828	vbc.exe	vbc.exe
PID 1828 wrote to memory of 436	1828	vbc.exe	vbc.exe
PID 1828 wrote to memory of 436	1828	vbc.exe	vbc.exe
PID 1828 wrote to memory of 436	1828	vbc.exe	vbc.exe
PID 436 wrote to memory of 1680	436	vbc.exe	vbc.exe
PID 436 wrote to memory of 1680	436	vbc.exe	vbc.exe
PID 436 wrote to memory of 1680	436	vbc.exe	vbc.exe
PID 436 wrote to memory of 1680	436	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\LC-0042002210001102.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:740

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
17⤵
- Executes dropped EXE
PID:1680

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
18⤵
- Executes dropped EXE
PID:1664

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
19⤵
- Executes dropped EXE
PID:300

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
20⤵
- Executes dropped EXE
PID:1984

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
21⤵
- Executes dropped EXE
PID:1564

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
22⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
23⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe"
24⤵
PID:332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
516c683f65edb23d0e850fa3ef3c8684

SHA1
2ac568ffec85d04a03ce8cd67d22c0f57ebcf78b

SHA256
90fcf9d38e16bf59c8ba902a0a2fb4535cb54515fdb51ecf561cec6911db553d

SHA512
fb785e0ba530ef75dab428467da6b2da078a356a953fb7b1729d2474b06a44f854cfd41fa6f3432e13f330c4a12b1665d316c63291fbd46bb165ba1e7b384c93

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
C:\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
\Users\Public\vbc.exe
MD5
d0b73f883fdd6cc9097028375fdc6231

SHA1
786826282e4f20076f50b7648e45ca1df856dd12

SHA256
97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

SHA512
6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Download Submit
memory/300-63-0x0000000000000000-mapping.dmp

Download
memory/304-11-0x0000000000000000-mapping.dmp

Download
memory/332-79-0x0000000000000000-mapping.dmp

Download
memory/436-54-0x0000000000000000-mapping.dmp

Download
memory/592-45-0x0000000000000000-mapping.dmp

Download
memory/608-75-0x0000000000000000-mapping.dmp

Download
memory/608-80-0x00000000027A0000-0x00000000027A4000-memory.dmp

Filesize
16KB

Download
memory/712-36-0x0000000000000000-mapping.dmp

Download
memory/740-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/740-2-0x000000002F571000-0x000000002F574000-memory.dmp

Filesize
12KB

Download
memory/740-3-0x0000000071441000-0x0000000071443000-memory.dmp

Filesize
8KB

Download
memory/792-6-0x000007FEF7590000-0x000007FEF780A000-memory.dmp

Filesize
2.5MB

Download
memory/920-42-0x0000000000000000-mapping.dmp

Download
memory/988-15-0x0000000000000000-mapping.dmp

Download
memory/1068-39-0x0000000000000000-mapping.dmp

Download
memory/1180-5-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1204-48-0x0000000000000000-mapping.dmp

Download
memory/1252-78-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1252-72-0x0000000000000000-mapping.dmp

Download
memory/1564-69-0x0000000000000000-mapping.dmp

Download
memory/1564-30-0x0000000000000000-mapping.dmp

Download
memory/1576-21-0x0000000000000000-mapping.dmp

Download
memory/1664-60-0x0000000000000000-mapping.dmp

Download
memory/1672-24-0x0000000000000000-mapping.dmp

Download
memory/1680-57-0x0000000000000000-mapping.dmp

Download
memory/1708-27-0x0000000000000000-mapping.dmp

Download
memory/1716-33-0x0000000000000000-mapping.dmp

Download
memory/1828-51-0x0000000000000000-mapping.dmp

Download
memory/1832-18-0x0000000000000000-mapping.dmp

Download
memory/1984-66-0x0000000000000000-mapping.dmp

Download