remcos | 34b348476c9948e33243898e3cae38d0831305fecb871c19d9f5519ff63ccc77

Analysis

max time kernel
149s
max time network
163s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enquiry MW886079 ( Flowstar.CO.UK ).exe
Size

901KB
MD5

c396a92cfb2646cde0b781fc5e65bc16
SHA1

337984712bcb8e1ed775008a104013ec171da0e9
SHA256

1bcb5256d3c0ac49ce2b13c2638d2a795f6cdf77591d29cb01d0b3731615470b
SHA512

4f6663135c21f51d63cf635c05f557aede0ac131ca4fbf3375e0a184a1530137ac3607c87b2f4eaf3fd8e5f989c908e9bc0f813f9b57df735b2c20cf03da0f8a

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

hadrqlo.ddns.net:4301

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-27TUGW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\csscr.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 4 IoCs

Processes:

csscr.exeAddInProcess32.exelssc.exelssc.exe

pid process

500 csscr.exe
1128 AddInProcess32.exe
1572 lssc.exe
2156 lssc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

csscr.exe

description pid process target process

PID 500 set thread context of 1128 500 csscr.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
500	csscr.exe
1128	AddInProcess32.exe
1572	lssc.exe
2156	lssc.exe

description	pid	process	target process
PID 500 set thread context of 1128	500	csscr.exe	AddInProcess32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csscr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csscr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csscr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f630400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csscr.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

Enquiry MW886079 ( Flowstar.CO.UK ).execsscr.exelssc.exelssc.exe

pid	process
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
500	csscr.exe
500	csscr.exe
500	csscr.exe
1572	lssc.exe
2156	lssc.exe
2156	lssc.exe
2156	lssc.exe
500	csscr.exe
500	csscr.exe
500	csscr.exe
500	csscr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AddInProcess32.exe

pid process

1128 AddInProcess32.exe

pid	process
1128	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Enquiry MW886079 ( Flowstar.CO.UK ).execsscr.exelssc.exelssc.exe

description	pid	process
Token: SeDebugPrivilege	4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe
Token: SeDebugPrivilege	500	csscr.exe
Token: SeDebugPrivilege	1572	lssc.exe
Token: SeDebugPrivilege	2156	lssc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

1128 AddInProcess32.exe

pid	process
1128	AddInProcess32.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Enquiry MW886079 ( Flowstar.CO.UK ).execmd.execsscr.exelssc.exe

description	pid	process	target process
PID 4328 wrote to memory of 4496	4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe	cmd.exe
PID 4328 wrote to memory of 4496	4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe	cmd.exe
PID 4328 wrote to memory of 4496	4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe	cmd.exe
PID 4496 wrote to memory of 496	4496	cmd.exe	reg.exe
PID 4496 wrote to memory of 496	4496	cmd.exe	reg.exe
PID 4496 wrote to memory of 496	4496	cmd.exe	reg.exe
PID 4328 wrote to memory of 500	4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe	csscr.exe
PID 4328 wrote to memory of 500	4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe	csscr.exe
PID 4328 wrote to memory of 500	4328	Enquiry MW886079 ( Flowstar.CO.UK ).exe	csscr.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1128	500	csscr.exe	AddInProcess32.exe
PID 500 wrote to memory of 1572	500	csscr.exe	lssc.exe
PID 500 wrote to memory of 1572	500	csscr.exe	lssc.exe
PID 500 wrote to memory of 1572	500	csscr.exe	lssc.exe
PID 1572 wrote to memory of 2156	1572	lssc.exe	lssc.exe
PID 1572 wrote to memory of 2156	1572	lssc.exe	lssc.exe
PID 1572 wrote to memory of 2156	1572	lssc.exe	lssc.exe

C:\Users\Admin\AppData\Local\Temp\Enquiry MW886079 ( Flowstar.CO.UK ).exe
"C:\Users\Admin\AppData\Local\Temp\Enquiry MW886079 ( Flowstar.CO.UK ).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\csscr.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\csscr.exe,"
3⤵
- Modifies WinLogon for persistence
PID:496

C:\Users\Admin\AppData\Roaming\csscr.exe
"C:\Users\Admin\AppData\Roaming\csscr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Users\Admin\AppData\Local\Temp\lssc.exe
"C:\Users\Admin\AppData\Local\Temp\lssc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\lssc.exe
"C:\Users\Admin\AppData\Local\Temp\lssc.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lssc.exe.log
MD5
e555c48cb712a9597ecb55a60135d1f8

SHA1
2081c72d30c34ec3f61f9944545ecdaae11521f7

SHA256
815c80df060afa8acf7640ca011735ef77c66666d03901e04a8767827d5da4e9

SHA512
32129b5be15217e5400f1e7536270a703d62db60ebb06396b9d74703e6a0dcd2e78f7f42b2019093be1508a9310912f305b88de274a295c9135a4086cd8c8427

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssc.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssc.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssc.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssc.txt
MD5
4a8fc5310a7d84966f649395425f232d

SHA1
ef3d47260d54de5a5d8c2a03158d78b9592c178b

SHA256
2f4d30450f1eb1bf9d1c98d2fc67c11b44b3f509b87d05c03b0428728e5ad01a

SHA512
b99340075d46567c5ed58989c83836523b0b6d4482a7a531a6590f733c82687c4d13391fb4b890763cfeb3fb41f5c0a1f45e64cf7a86718a98043bd895acbaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssc.txt
MD5
6b0ed42fb02220b903e2af792242b41e

SHA1
78972ba6a899d3d8b9dba3b5048582528cf95de5

SHA256
5b8e447b227e2d904d100d355ea2732378d054ea752639f05d0ad6c43b5b93ea

SHA512
ba2c3232a016a79af401085aa7bfa3dacdc8c78a2a0e483d8fd230bf35a4ade4d665f2a9c9cd4d6dd97c75505e09eae3a766c54e2d0e92cf468132327dd58b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\lssc.txt
MD5
64304f3a8a4101477eac1bde7983a5cc

SHA1
789b9975b9225a74f3765cb884051707dbc45d35

SHA256
53a47a0514cb155c6beef7eac36e5c9f7346440bb344e858436d6e47e84cf916

SHA512
530e1eccdbac6d27fd5d70a4541d6e1d8332369cb0689d46d9d57b5e4e3aa46ec1c151faba5ae2be65d94361429207aafed262f5b3d7cacf251a9f4eae2c2098

Download Submit
C:\Users\Admin\AppData\Roaming\csscr.exe
MD5
c396a92cfb2646cde0b781fc5e65bc16

SHA1
337984712bcb8e1ed775008a104013ec171da0e9

SHA256
1bcb5256d3c0ac49ce2b13c2638d2a795f6cdf77591d29cb01d0b3731615470b

SHA512
4f6663135c21f51d63cf635c05f557aede0ac131ca4fbf3375e0a184a1530137ac3607c87b2f4eaf3fd8e5f989c908e9bc0f813f9b57df735b2c20cf03da0f8a

Download Submit
C:\Users\Admin\AppData\Roaming\csscr.exe
MD5
c396a92cfb2646cde0b781fc5e65bc16

SHA1
337984712bcb8e1ed775008a104013ec171da0e9

SHA256
1bcb5256d3c0ac49ce2b13c2638d2a795f6cdf77591d29cb01d0b3731615470b

SHA512
4f6663135c21f51d63cf635c05f557aede0ac131ca4fbf3375e0a184a1530137ac3607c87b2f4eaf3fd8e5f989c908e9bc0f813f9b57df735b2c20cf03da0f8a

Download Submit
memory/496-124-0x0000000000000000-mapping.dmp

Download
memory/500-125-0x0000000000000000-mapping.dmp

Download
memory/500-134-0x0000000005210000-0x000000000570E000-memory.dmp

Filesize
5.0MB

Download
memory/500-136-0x0000000007F70000-0x0000000007F7A000-memory.dmp

Filesize
40KB

Download
memory/500-141-0x0000000005210000-0x000000000570E000-memory.dmp

Filesize
5.0MB

Download
memory/1128-137-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1128-140-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1128-138-0x000000000042FC39-mapping.dmp

Download
memory/1572-145-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1572-142-0x0000000000000000-mapping.dmp

Download
memory/2156-149-0x0000000000000000-mapping.dmp

Download
memory/4328-122-0x0000000002490000-0x00000000024B4000-memory.dmp

Filesize
144KB

Download
memory/4328-115-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4328-121-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/4328-120-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/4328-119-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4328-118-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/4328-117-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4496-123-0x0000000000000000-mapping.dmp

Download