remcos | eabdfa7af51b0ad6d49602685f207ce19dfe287dd6cfc808b53fb4e580734f50

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-03-2023 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USD23.026,90 (Tiller Order).docx
Size

10KB
MD5

40fa41596ac736f6e23965c0094bb946
SHA1

c64c3183fb4466cce653d55743d40ff156606754
SHA256

eabdfa7af51b0ad6d49602685f207ce19dfe287dd6cfc808b53fb4e580734f50
SHA512

83e57aa3b75462ffe3fa1481af6e4694050b64074492d4f22ba5b0fedb83087037846d4c6cd7933619405ac7f8bbf803739e3cf640f453e50a9634729f718845
SSDEEP

192:ScIMmtP1aIG/bslPL++uOsAl+CVWBXJC0c3CV:SPXU/slT+LOBHkZC9i

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

vcv.mastercoa.co:8489

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4IE8MY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1628-212-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1628-213-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1728-191-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1728-201-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1728-208-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1728-191-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1760-200-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1728-201-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1760-202-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1728-208-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1628-212-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1628-213-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

10 1896 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
10	1896	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\Common\Offline\Files\http://2401929236/80................80...................80.doc	WINWORD.EXE

Executes dropped EXE 6 IoCs

Processes:

vbc.exeryiixl.exeryiixl.exeryiixl.exeryiixl.exeryiixl.exe

pid process

1960 vbc.exe
668 ryiixl.exe
1272 ryiixl.exe
1728 ryiixl.exe
1628 ryiixl.exe
1760 ryiixl.exe
Loads dropped DLL 7 IoCs

Processes:

EQNEDT32.EXEvbc.exeryiixl.exeryiixl.exe

pid process

1896 EQNEDT32.EXE
1960 vbc.exe
1960 vbc.exe
668 ryiixl.exe
1272 ryiixl.exe
1272 ryiixl.exe
1272 ryiixl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1960	vbc.exe
668	ryiixl.exe
1272	ryiixl.exe
1728	ryiixl.exe
1628	ryiixl.exe
1760	ryiixl.exe

pid	process
1896	EQNEDT32.EXE
1960	vbc.exe
1960	vbc.exe
668	ryiixl.exe
1272	ryiixl.exe
1272	ryiixl.exe
1272	ryiixl.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ryiixl.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ryiixl.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ryiixl.exeryiixl.exe

description	pid	process	target process
PID 668 set thread context of 1272	668	ryiixl.exe	ryiixl.exe
PID 1272 set thread context of 1728	1272	ryiixl.exe	ryiixl.exe
PID 1272 set thread context of 1628	1272	ryiixl.exe	ryiixl.exe
PID 1272 set thread context of 1760	1272	ryiixl.exe	ryiixl.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1896 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1896	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1476 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ryiixl.exe

pid process

1728 ryiixl.exe
1728 ryiixl.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

ryiixl.exeryiixl.exe

pid process

668 ryiixl.exe
1272 ryiixl.exe
1272 ryiixl.exe
1272 ryiixl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ryiixl.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1760 ryiixl.exe
Token: SeShutdownPrivilege 1476 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEryiixl.exe

pid process

1476 WINWORD.EXE
1476 WINWORD.EXE
1272 ryiixl.exe

pid	process
1476	WINWORD.EXE

pid	process
1728	ryiixl.exe
1728	ryiixl.exe

pid	process
668	ryiixl.exe
1272	ryiixl.exe
1272	ryiixl.exe
1272	ryiixl.exe

description	pid	process
Token: SeDebugPrivilege	1760	ryiixl.exe
Token: SeShutdownPrivilege	1476	WINWORD.EXE

pid	process
1476	WINWORD.EXE
1476	WINWORD.EXE
1272	ryiixl.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

EQNEDT32.EXEvbc.exeryiixl.exeWINWORD.EXEryiixl.exe

description	pid	process	target process
PID 1896 wrote to memory of 1960	1896	EQNEDT32.EXE	vbc.exe
PID 1896 wrote to memory of 1960	1896	EQNEDT32.EXE	vbc.exe
PID 1896 wrote to memory of 1960	1896	EQNEDT32.EXE	vbc.exe
PID 1896 wrote to memory of 1960	1896	EQNEDT32.EXE	vbc.exe
PID 1960 wrote to memory of 668	1960	vbc.exe	ryiixl.exe
PID 1960 wrote to memory of 668	1960	vbc.exe	ryiixl.exe
PID 1960 wrote to memory of 668	1960	vbc.exe	ryiixl.exe
PID 1960 wrote to memory of 668	1960	vbc.exe	ryiixl.exe
PID 668 wrote to memory of 1272	668	ryiixl.exe	ryiixl.exe
PID 668 wrote to memory of 1272	668	ryiixl.exe	ryiixl.exe
PID 668 wrote to memory of 1272	668	ryiixl.exe	ryiixl.exe
PID 668 wrote to memory of 1272	668	ryiixl.exe	ryiixl.exe
PID 668 wrote to memory of 1272	668	ryiixl.exe	ryiixl.exe
PID 1476 wrote to memory of 816	1476	WINWORD.EXE	splwow64.exe
PID 1476 wrote to memory of 816	1476	WINWORD.EXE	splwow64.exe
PID 1476 wrote to memory of 816	1476	WINWORD.EXE	splwow64.exe
PID 1476 wrote to memory of 816	1476	WINWORD.EXE	splwow64.exe
PID 1272 wrote to memory of 1728	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1728	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1728	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1728	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1728	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1628	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1628	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1628	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1628	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1628	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1760	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1760	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1760	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1760	1272	ryiixl.exe	ryiixl.exe
PID 1272 wrote to memory of 1760	1272	ryiixl.exe	ryiixl.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\USD23.026,90 (Tiller Order).docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:816

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
"C:\Users\Admin\AppData\Local\Temp\ryiixl.exe" C:\Users\Admin\AppData\Local\Temp\jdgwj.al
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
"C:\Users\Admin\AppData\Local\Temp\ryiixl.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe /stext "C:\Users\Admin\AppData\Local\Temp\hscpnoxjkymxnryov"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe /stext "C:\Users\Admin\AppData\Local\Temp\rmiiohilygebpfmrmjdnf"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1628

C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe /stext "C:\Users\Admin\AppData\Local\Temp\conahztfmowozlivvuphisaw"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
254B

MD5
b3eed3ce3e99ed63df18210eb35e4656

SHA1
eeca23be8e13f64192b45bee829c8882a06e5399

SHA256
86111e49e9d3f5bb591aa7be6b07b096e36170e40ecaed6a3a0bcbeb8abf5817

SHA512
484e485332f213b657fb655cd27a584fb4ebd3fcb5ee2709afecc9706bde9dba8cb3ac9619bdd2a6be29610030634d02a4329329afb67b3c9cabc07f8a11a4e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{08DE8121-0139-4EDE-BBCE-98C90BBB5ED2}.FSD
Filesize
128KB

MD5
a8a08396e12306c93b6f6bc2628d28c6

SHA1
199fbb59368ffb699cb4527b30d69769ff2a111d

SHA256
085e38bc0721f85cefbc4b01a9476aea83c3d58890ee7f869326187ef0394c55

SHA512
a65871dad1904619ab61e4f208471f14021d13395a7dde12d2f6f8a1c455fb3266b2c0a85f0a0d33df4240fc73beec80598004d159956216607d978bc1eaefe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
bdb25acba63ee17d233cc772859ef7b6

SHA1
55ae03310366c93f923aabde81b8de58ee6bf29d

SHA256
3225ca966988b8a355c1b5f4004642ff2a7f4cba3dab2fb2807283b740501171

SHA512
b2a14e91278fa9087e69eb325f6d46675341ee7e9dee97be623c88e8fb8fb40f881039483f0273bdaa4613856570e55d3ac083ed0027a0a87ef0805ce6e149bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{04A10F4B-1374-47A5-8925-36C4421FCE72}.FSD
Filesize
128KB

MD5
ab4a64d168071e4295e6af8417cad0cb

SHA1
c4fc90bcd4dabf1a41e2645b9cdad08f74879fe1

SHA256
29533d2ea611bf69dd72e1b6b6d9bee4d32a1e39d566b8ccc721d616ddd05c0a

SHA512
0d7e913e7d0862c79502ce27bd1239ce1fb3a43ff14ce4aea647c3e93627ae8f68754ea03309503e8b839f6ec5a29c8f679311b99f86f21c2a1655d8d6cef953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\80................80...................80[1].doc
Filesize
25KB

MD5
fa106001a7cf2deb09192898ba82b50f

SHA1
d472611b9c4185f4dad80143c6c46cb3a3047779

SHA256
e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057

SHA512
16ea979dc9850ae3ef7e4540070da3db3da4c046832b3b6efbd14c1a335082788e3995e6693e1e1c965cc8d0b7c9ec60b13f2720dfd6b9f03ac415506966dfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\hscpnoxjkymxnryov
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\hscpnoxjkymxnryov
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdgwj.al
Filesize
5KB

MD5
2713735a6a22806ebe05a3616d813b9d

SHA1
aa850ef9a7277de15a3a7dacff134a7f6a9f43d5

SHA256
3230b1927e92ec8b3e76d353a97807718e766cb81fb4dddccc2997e54404883e

SHA512
ba6fd4723a9182a09ecfb24a86b7452df4177987635e9b530c91745bef427b968b8a07becb87c968e8c86e45bb7b18e072a52a10c845bf367d46ceb2629009a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtnuuqmrl.t
Filesize
495KB

MD5
3492b562086daedc2ebab288e514690d

SHA1
630ef4d0016aa312607b8d43c39f0dc7c4db6b6d

SHA256
70ef2a031c2947fff70f9ac97b662fdb9414b661047b66372a41c53cc354ad9a

SHA512
c615ceaac3f366b8c4cf5781a2927a850926d1a77f9a29d05df399bc5b3c2a5775d89f19f315a27fd82945ad377ce6593fa7a672e241d1baffd6ebbd6de85db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{59B56B4D-8F40-4D95-8E19-B26FDC56382F}
Filesize
128KB

MD5
275abd78e1d939586c3fd8597765a90b

SHA1
08b481fbc05a56ca3ae8c7fe6c6e48ee5ea1a6f2

SHA256
060e96ac0c7fc52141266db91d791f03a36fd9a107e241a3bacc1133fa17849a

SHA512
ed31ec07b15ffaba0de6a471e121e4cca80992c7118668223370632c3214392e53e5985f86a291abb66df36cbe1ea8b4952ae44c823abb38bb12ea591217dacd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
c3360558d7ff0ac9edb5bee138891d8c

SHA1
694637cdc225c1efdb9751236f6b134118f2fe25

SHA256
fa1478ea314450949349453ac50bcebbc7b58349c5fc839c9f863dd900be980f

SHA512
fa4e28c604785643b912902972699f2b4173ccfb4cdeddf7a81cfe4ffe2f3916f1cbfaab0ae2c9114b91f5d95f1ee06b32b9e2c21cb7c46c88857055ab26658c

Download Submit
C:\Users\Public\vbc.exe
Filesize
516KB

MD5
9eea2c45522c0a0507344fc3b216f35e

SHA1
48e66669c4cb4ac7e3d172f00fb577bcf573f693

SHA256
c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e

SHA512
d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e

Download Submit
C:\Users\Public\vbc.exe
Filesize
516KB

MD5
9eea2c45522c0a0507344fc3b216f35e

SHA1
48e66669c4cb4ac7e3d172f00fb577bcf573f693

SHA256
c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e

SHA512
d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e

Download Submit
C:\Users\Public\vbc.exe
Filesize
516KB

MD5
9eea2c45522c0a0507344fc3b216f35e

SHA1
48e66669c4cb4ac7e3d172f00fb577bcf573f693

SHA256
c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e

SHA512
d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe
Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Public\vbc.exe
Filesize
516KB

MD5
9eea2c45522c0a0507344fc3b216f35e

SHA1
48e66669c4cb4ac7e3d172f00fb577bcf573f693

SHA256
c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e

SHA512
d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e

Download Submit
memory/1272-218-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1272-224-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-267-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-266-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-260-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-259-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-225-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-214-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1272-223-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1272-164-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-219-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-166-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-170-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1272-217-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1476-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1476-256-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1628-189-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1628-212-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1628-211-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1628-213-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1728-201-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1728-191-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1728-190-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1728-184-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1728-208-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1728-183-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1760-196-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1760-199-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1760-200-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1760-202-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download