remcos | e2569ec36e92c20060f47e60994da1ec8fbe203a2a5dfd60a3624d7eae7355b6

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7v20201028
submitted
19-01-2021 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Product List 01.xlsx
Size

2.4MB
MD5

44015f105e6b64a770d80ab510b4f7a9
SHA1

eee4ed694385ccc3fe9896ceb2fb5c118c260a58
SHA256

e2569ec36e92c20060f47e60994da1ec8fbe203a2a5dfd60a3624d7eae7355b6
SHA512

f01e9865ee81a8b1978990f64a45201074aee682e7ef77c846276a9d79f57348f3575ea450b1a0dbd4c9b5aa8bab91428d894e6e4fa3ec7ff780dd80487eba95

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

grtwyagvbxnzmklopmdhsyuwaszxbyhredsnmko.ydns.eu:2006

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1976 EQNEDT32.EXE
Executes dropped EXE 5 IoCs

Processes:

vbc.exevbc.exewin.exewin.exewin.exe

pid process

1912 vbc.exe
1740 vbc.exe
1044 win.exe
1612 win.exe
1748 win.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXEcmd.exe

pid process

1976 EQNEDT32.EXE
1976 EQNEDT32.EXE
1884 cmd.exe
1884 cmd.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
7	1976	EQNEDT32.EXE

pid	process
1976	EQNEDT32.EXE
1976	EQNEDT32.EXE
1884	cmd.exe
1884	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exewin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	win.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\win.exe\""	win.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

vbc.exewin.exe

pid	process
1912	vbc.exe
1912	vbc.exe
1912	vbc.exe
1912	vbc.exe
1912	vbc.exe
1912	vbc.exe
1912	vbc.exe
1044	win.exe
1044	win.exe
1044	win.exe
1044	win.exe
1044	win.exe
1044	win.exe
1044	win.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vbc.exewin.exe

description pid process target process

PID 1912 set thread context of 1740 1912 vbc.exe vbc.exe
PID 1044 set thread context of 1748 1044 win.exe win.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1920 timeout.exe
1580 timeout.exe
1484 timeout.exe
1984 timeout.exe
1032 timeout.exe
1616 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1976 EQNEDT32.EXE

description	pid	process	target process
PID 1912 set thread context of 1740	1912	vbc.exe	vbc.exe
PID 1044 set thread context of 1748	1044	win.exe	win.exe

pid	process
1920	timeout.exe
1580	timeout.exe
1484	timeout.exe
1984	timeout.exe
1032	timeout.exe
1616	timeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1976	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1872 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

vbc.exewin.exe

pid process

1912 vbc.exe
1912 vbc.exe
1912 vbc.exe
1044 win.exe
1044 win.exe
1044 win.exe
1044 win.exe
1044 win.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exewin.exe

description pid process

Token: SeDebugPrivilege 1912 vbc.exe
Token: SeDebugPrivilege 1044 win.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXEwin.exe

pid process

1872 EXCEL.EXE
1872 EXCEL.EXE
1872 EXCEL.EXE
1748 win.exe

pid	process
1872	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1912	vbc.exe
Token: SeDebugPrivilege	1044	win.exe

pid	process
1872	EXCEL.EXE
1872	EXCEL.EXE
1872	EXCEL.EXE
1748	win.exe

Suspicious use of WriteProcessMemory 90 IoCs

Processes:

EQNEDT32.EXEvbc.execmd.execmd.execmd.exevbc.exeWScript.execmd.exewin.execmd.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 1912	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1912	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1912	1976	EQNEDT32.EXE	vbc.exe
PID 1976 wrote to memory of 1912	1976	EQNEDT32.EXE	vbc.exe
PID 1912 wrote to memory of 1916	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1916	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1916	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1916	1912	vbc.exe	cmd.exe
PID 1916 wrote to memory of 1032	1916	cmd.exe	timeout.exe
PID 1916 wrote to memory of 1032	1916	cmd.exe	timeout.exe
PID 1916 wrote to memory of 1032	1916	cmd.exe	timeout.exe
PID 1916 wrote to memory of 1032	1916	cmd.exe	timeout.exe
PID 1912 wrote to memory of 1272	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1272	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1272	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1272	1912	vbc.exe	cmd.exe
PID 1272 wrote to memory of 1616	1272	cmd.exe	timeout.exe
PID 1272 wrote to memory of 1616	1272	cmd.exe	timeout.exe
PID 1272 wrote to memory of 1616	1272	cmd.exe	timeout.exe
PID 1272 wrote to memory of 1616	1272	cmd.exe	timeout.exe
PID 1912 wrote to memory of 1340	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1340	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1340	1912	vbc.exe	cmd.exe
PID 1912 wrote to memory of 1340	1912	vbc.exe	cmd.exe
PID 1340 wrote to memory of 1920	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1920	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1920	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1920	1340	cmd.exe	timeout.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1912 wrote to memory of 1740	1912	vbc.exe	vbc.exe
PID 1740 wrote to memory of 1976	1740	vbc.exe	WScript.exe
PID 1740 wrote to memory of 1976	1740	vbc.exe	WScript.exe
PID 1740 wrote to memory of 1976	1740	vbc.exe	WScript.exe
PID 1740 wrote to memory of 1976	1740	vbc.exe	WScript.exe
PID 1976 wrote to memory of 1884	1976	WScript.exe	cmd.exe
PID 1976 wrote to memory of 1884	1976	WScript.exe	cmd.exe
PID 1976 wrote to memory of 1884	1976	WScript.exe	cmd.exe
PID 1976 wrote to memory of 1884	1976	WScript.exe	cmd.exe
PID 1884 wrote to memory of 1044	1884	cmd.exe	win.exe
PID 1884 wrote to memory of 1044	1884	cmd.exe	win.exe
PID 1884 wrote to memory of 1044	1884	cmd.exe	win.exe
PID 1884 wrote to memory of 1044	1884	cmd.exe	win.exe
PID 1044 wrote to memory of 1496	1044	win.exe	cmd.exe
PID 1044 wrote to memory of 1496	1044	win.exe	cmd.exe
PID 1044 wrote to memory of 1496	1044	win.exe	cmd.exe
PID 1044 wrote to memory of 1496	1044	win.exe	cmd.exe
PID 1496 wrote to memory of 1580	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 1580	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 1580	1496	cmd.exe	timeout.exe
PID 1496 wrote to memory of 1580	1496	cmd.exe	timeout.exe
PID 1044 wrote to memory of 1788	1044	win.exe	cmd.exe
PID 1044 wrote to memory of 1788	1044	win.exe	cmd.exe
PID 1044 wrote to memory of 1788	1044	win.exe	cmd.exe
PID 1044 wrote to memory of 1788	1044	win.exe	cmd.exe
PID 1788 wrote to memory of 1484	1788	cmd.exe	timeout.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Product List 01.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1920

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Roaming\win.exe
C:\Users\Admin\AppData\Roaming\win.exe
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
7⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\timeout.exe
timeout 1
8⤵
- Delays execution with timeout.exe
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
7⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\timeout.exe
timeout 1
8⤵
- Delays execution with timeout.exe
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
7⤵
PID:1916

C:\Windows\SysWOW64\timeout.exe
timeout 1
8⤵
- Delays execution with timeout.exe
PID:1984

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
7⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
4a74e626596d6e66b4bbc59ee6848f2d

SHA1
047849ac8735ecc0943428c7cd5e00b52eee06ed

SHA256
98bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e

SHA512
1cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
C:\Users\Public\vbc.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
C:\Users\Public\vbc.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
C:\Users\Public\vbc.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
\Users\Admin\AppData\Roaming\win.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
\Users\Admin\AppData\Roaming\win.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
\Users\Public\vbc.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
\Users\Public\vbc.exe
MD5
5de1c7ab2a83edc8ae757ba8d7f62adb

SHA1
30d1ff434b659916eaf8c37fea1190b91aa650ce

SHA256
e7b1ad88e518117bed32f9ff14ae294d579826cee660c49cb58d48d59133a523

SHA512
a82c885923d028381148e21f673a38399fe8ca1072049e114088e02bedc3b8e17ba16dcc053f793ce7c01bdc305580236ec7f4249d2dd8279f46f3117be72982

Download Submit
memory/1032-18-0x0000000000000000-mapping.dmp

Download
memory/1044-38-0x000000006C090000-0x000000006C77E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-45-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1044-39-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1044-36-0x0000000000000000-mapping.dmp

Download
memory/1272-19-0x0000000000000000-mapping.dmp

Download
memory/1340-21-0x0000000000000000-mapping.dmp

Download
memory/1484-48-0x0000000000000000-mapping.dmp

Download
memory/1496-42-0x0000000000000000-mapping.dmp

Download
memory/1580-44-0x0000000000000000-mapping.dmp

Download
memory/1616-20-0x0000000000000000-mapping.dmp

Download
memory/1740-23-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1740-27-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1740-24-0x0000000000413FA4-mapping.dmp

Download
memory/1748-54-0x0000000000413FA4-mapping.dmp

Download
memory/1748-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1788-46-0x0000000000000000-mapping.dmp

Download
memory/1816-6-0x000007FEF7810000-0x000007FEF7A8A000-memory.dmp

Filesize
2.5MB

Download
memory/1872-3-0x0000000071201000-0x0000000071203000-memory.dmp

Filesize
8KB

Download
memory/1872-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1872-2-0x000000002F7A1000-0x000000002F7A4000-memory.dmp

Filesize
12KB

Download
memory/1884-31-0x0000000000000000-mapping.dmp

Download
memory/1912-17-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1912-13-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1912-9-0x0000000000000000-mapping.dmp

Download
memory/1912-12-0x000000006BC70000-0x000000006C35E000-memory.dmp

Filesize
6.9MB

Download
memory/1912-15-0x00000000003B0000-0x00000000003E1000-memory.dmp

Filesize
196KB

Download
memory/1916-16-0x0000000000000000-mapping.dmp

Download
memory/1916-49-0x0000000000000000-mapping.dmp

Download
memory/1920-22-0x0000000000000000-mapping.dmp

Download
memory/1976-28-0x0000000000000000-mapping.dmp

Download
memory/1976-32-0x0000000002550000-0x0000000002554000-memory.dmp

Filesize
16KB

Download
memory/1976-5-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1984-51-0x0000000000000000-mapping.dmp

Download