remcos | f40af51c8b3838de273c59423063897ab6bfe9df596a472a6b634dcd7a71cbc2

Analysis

max time kernel
91s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lectura de cargos.exe
Size

670.0MB
MD5

bdb8cbc51cb8f186e4a8b56217ead338
SHA1

877b1f5e43bd90fc3be1bda08250c87565a10f3a
SHA256

7706a18ee5ae4110a77ee6b4b055cdcd46f120d00895e8568a246865cad9c18e
SHA512

e06a768c2c74f8d7f5cab67ba2e5f9925be6302c755d6cefa205b0c635bd2d1db793417ef18bd0f65ec701105ff055bc71160ab1f20206e1ec2ee5e84dcae535
SSDEEP

12288:vbi3O31sGfWn39miK2Ft2ktxEFSrb63M9/Zc3C/0Pw2ZG5VrVKQBybBr3:DD+39MQwktxEx3MRu3c59VKQBybBz

Score

10^/10

remcos 28marzo rat

Malware Config

Extracted

Family

remcos

Botnet

28MARZO

20.38.13.217:2524

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2GPJZT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Excel.exeExcel.exeLectura de cargos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Excel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Excel.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Lectura de cargos.exe

Executes dropped EXE 2 IoCs

Processes:

Excel.exeExcel.exe

pid process

4404 Excel.exe
3180 Excel.exe

pid	process
4404	Excel.exe
3180	Excel.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Lectura de cargos.exeExcel.exeExcel.exe

description	pid	process	target process
PID 4420 set thread context of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4404 set thread context of 2536	4404	Excel.exe	csc.exe
PID 3180 set thread context of 228	3180	Excel.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4428 4240 WerFault.exe csc.exe
5052 2536 WerFault.exe csc.exe
3980 228 WerFault.exe csc.exe
4124 4372 WerFault.exe csc.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

444 schtasks.exe
4200 schtasks.exe
2572 schtasks.exe
3536 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4176 powershell.exe
4176 powershell.exe
700 powershell.exe
700 powershell.exe
2804 powershell.exe
2804 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4176 powershell.exe
Token: SeDebugPrivilege 700 powershell.exe
Token: SeDebugPrivilege 2804 powershell.exe

pid	pid_target	process	target process
4428	4240	WerFault.exe	csc.exe
5052	2536	WerFault.exe	csc.exe
3980	228	WerFault.exe	csc.exe
4124	4372	WerFault.exe	csc.exe

pid	process
444	schtasks.exe
4200	schtasks.exe
2572	schtasks.exe
3536	schtasks.exe

pid	process
4176	powershell.exe
4176	powershell.exe
700	powershell.exe
700	powershell.exe
2804	powershell.exe
2804	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Lectura de cargos.execmd.exeExcel.execmd.exeExcel.execmd.exe

description	pid	process	target process
PID 4420 wrote to memory of 212	4420	Lectura de cargos.exe	cmd.exe
PID 4420 wrote to memory of 212	4420	Lectura de cargos.exe	cmd.exe
PID 4420 wrote to memory of 212	4420	Lectura de cargos.exe	cmd.exe
PID 4420 wrote to memory of 312	4420	Lectura de cargos.exe	cmd.exe
PID 4420 wrote to memory of 312	4420	Lectura de cargos.exe	cmd.exe
PID 4420 wrote to memory of 312	4420	Lectura de cargos.exe	cmd.exe
PID 212 wrote to memory of 2572	212	cmd.exe	schtasks.exe
PID 212 wrote to memory of 2572	212	cmd.exe	schtasks.exe
PID 212 wrote to memory of 2572	212	cmd.exe	schtasks.exe
PID 4420 wrote to memory of 4176	4420	Lectura de cargos.exe	powershell.exe
PID 4420 wrote to memory of 4176	4420	Lectura de cargos.exe	powershell.exe
PID 4420 wrote to memory of 4176	4420	Lectura de cargos.exe	powershell.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4420 wrote to memory of 4240	4420	Lectura de cargos.exe	csc.exe
PID 4404 wrote to memory of 2304	4404	Excel.exe	cmd.exe
PID 4404 wrote to memory of 2304	4404	Excel.exe	cmd.exe
PID 4404 wrote to memory of 2304	4404	Excel.exe	cmd.exe
PID 4404 wrote to memory of 4804	4404	Excel.exe	cmd.exe
PID 4404 wrote to memory of 4804	4404	Excel.exe	cmd.exe
PID 4404 wrote to memory of 4804	4404	Excel.exe	cmd.exe
PID 2304 wrote to memory of 3536	2304	cmd.exe	schtasks.exe
PID 2304 wrote to memory of 3536	2304	cmd.exe	schtasks.exe
PID 2304 wrote to memory of 3536	2304	cmd.exe	schtasks.exe
PID 4404 wrote to memory of 700	4404	Excel.exe	powershell.exe
PID 4404 wrote to memory of 700	4404	Excel.exe	powershell.exe
PID 4404 wrote to memory of 700	4404	Excel.exe	powershell.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 4404 wrote to memory of 2536	4404	Excel.exe	csc.exe
PID 3180 wrote to memory of 2848	3180	Excel.exe	cmd.exe
PID 3180 wrote to memory of 2848	3180	Excel.exe	cmd.exe
PID 3180 wrote to memory of 2848	3180	Excel.exe	cmd.exe
PID 3180 wrote to memory of 3384	3180	Excel.exe	cmd.exe
PID 3180 wrote to memory of 3384	3180	Excel.exe	cmd.exe
PID 3180 wrote to memory of 3384	3180	Excel.exe	cmd.exe
PID 2848 wrote to memory of 444	2848	cmd.exe	schtasks.exe
PID 2848 wrote to memory of 444	2848	cmd.exe	schtasks.exe
PID 2848 wrote to memory of 444	2848	cmd.exe	schtasks.exe
PID 3180 wrote to memory of 2804	3180	Excel.exe	powershell.exe
PID 3180 wrote to memory of 2804	3180	Excel.exe	powershell.exe
PID 3180 wrote to memory of 2804	3180	Excel.exe	powershell.exe
PID 3180 wrote to memory of 228	3180	Excel.exe	csc.exe
PID 3180 wrote to memory of 228	3180	Excel.exe	csc.exe
PID 3180 wrote to memory of 228	3180	Excel.exe	csc.exe
PID 3180 wrote to memory of 228	3180	Excel.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\Lectura de cargos.exe
"C:\Users\Admin\AppData\Local\Temp\Lectura de cargos.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Lectura de cargos.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe"
2⤵
PID:312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\Lectura de cargos.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 188
3⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4240 -ip 4240
1⤵
PID:3732

C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3536

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe"
2⤵
PID:4804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 500
3⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2536 -ip 2536
1⤵
PID:4552

C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'" /f
3⤵
- Creates scheduled task(s)
PID:444

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe"
2⤵
PID:3384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 500
3⤵
- Program crash
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 228 -ip 228
1⤵
PID:1612

C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
1⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'" /f
2⤵
PID:4240

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4200

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe"
2⤵
PID:1252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe'"
2⤵
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 500
3⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4372 -ip 4372
1⤵
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Excel.exe.log
Filesize
609B

MD5
f78129c2d7c98a4397fa4931b11feef4

SHA1
ea26f38d12515741651ff161ea8393d5fa41a5bd

SHA256
29830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9

SHA512
cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
444423e6fbaced2a7c29cb854fea4e9f

SHA1
72d1146520af4acdf7e0b3716b8969ad98b8f892

SHA256
5488ff2e567b72f8e107d848921f5ae526d7333e9f91942996756022fecd06c9

SHA512
9b9331c15e50e3bf4dce1383300e50540931d8ef9237ddc8c8799c0b4b8d3799c47c1d2684cf777911b4ba2ceba8c03bc79845b44e50ef763427d337b1411241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
159798153828fdb6ec8c04d9ce7aaf4a

SHA1
f91828a9201779d1331d8ca2418e1e8de5b835bf

SHA256
f6b7c9fa3e12cc8c3597b922d42acf3bfbc2c8bd80701b91e649782fa873ad8f

SHA512
68bc3ed1741ae0d9d9884c079d733b5e2622c25efb3366c60fc41bee639cd9b6f662e705fd97b36be62c645b74ec582597e12c88bfad1eeb3ec8ee51ca389183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
2254730ccb52725c21eea7f2f335cd9a

SHA1
a863fbbc1f15aaeabb2cfa3eef58059b17a91a51

SHA256
0d40c1b35b1bf7d13fea17624e5a09c5f70e8b9eb786ea98cf660fe6457ede05

SHA512
5bc980f107a45c9f4336febcf8145171789c98cea77297b37a5713816e1131c487e5ddd4e5526b9af82c14e7e1e0f509775a6b59f993616699c9e84d84405ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_50vaj1ef.lom.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
Filesize
670.0MB

MD5
bdb8cbc51cb8f186e4a8b56217ead338

SHA1
877b1f5e43bd90fc3be1bda08250c87565a10f3a

SHA256
7706a18ee5ae4110a77ee6b4b055cdcd46f120d00895e8568a246865cad9c18e

SHA512
e06a768c2c74f8d7f5cab67ba2e5f9925be6302c755d6cefa205b0c635bd2d1db793417ef18bd0f65ec701105ff055bc71160ab1f20206e1ec2ee5e84dcae535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
Filesize
670.0MB

MD5
bdb8cbc51cb8f186e4a8b56217ead338

SHA1
877b1f5e43bd90fc3be1bda08250c87565a10f3a

SHA256
7706a18ee5ae4110a77ee6b4b055cdcd46f120d00895e8568a246865cad9c18e

SHA512
e06a768c2c74f8d7f5cab67ba2e5f9925be6302c755d6cefa205b0c635bd2d1db793417ef18bd0f65ec701105ff055bc71160ab1f20206e1ec2ee5e84dcae535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
Filesize
670.0MB

MD5
bdb8cbc51cb8f186e4a8b56217ead338

SHA1
877b1f5e43bd90fc3be1bda08250c87565a10f3a

SHA256
7706a18ee5ae4110a77ee6b4b055cdcd46f120d00895e8568a246865cad9c18e

SHA512
e06a768c2c74f8d7f5cab67ba2e5f9925be6302c755d6cefa205b0c635bd2d1db793417ef18bd0f65ec701105ff055bc71160ab1f20206e1ec2ee5e84dcae535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel.exe
Filesize
111.4MB

MD5
3aba536364acff7abd5418cafe3bbec1

SHA1
5f1d391d89c8cafe0ee1bb5fd921498a64aa64b6

SHA256
027919eeaa1015a650a23c54eed3f445b10c7495593bc30bffbef23cfacddedd

SHA512
4fdb2debc1adea8a1817353397497f4c093e6b7ddbbefb1ce59d06add8169deedbdd782a14145c9dcc2a305d964b0a04cc0ed5e1713bc9fd4d890313e9f5e431

Download Submit
memory/228-245-0x0000000000E00000-0x0000000000E7F000-memory.dmp

Filesize
508KB

Download
memory/228-240-0x0000000000E00000-0x0000000000E7F000-memory.dmp

Filesize
508KB

Download
memory/700-230-0x000000007F8F0000-0x000000007F900000-memory.dmp

Filesize
64KB

Download
memory/700-217-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/700-218-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/700-219-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/700-220-0x0000000070590000-0x00000000705DC000-memory.dmp

Filesize
304KB

Download
memory/2536-205-0x0000000000C00000-0x0000000000C7F000-memory.dmp

Filesize
508KB

Download
memory/2536-200-0x0000000000C00000-0x0000000000C7F000-memory.dmp

Filesize
508KB

Download
memory/2804-255-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/2804-256-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/2804-269-0x000000007EE50000-0x000000007EE60000-memory.dmp

Filesize
64KB

Download
memory/2804-259-0x0000000075BA0000-0x0000000075BEC000-memory.dmp

Filesize
304KB

Download
memory/2804-258-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/3316-306-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

Filesize
64KB

Download
memory/3316-305-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/3316-295-0x0000000071F40000-0x0000000071F8C000-memory.dmp

Filesize
304KB

Download
memory/3316-284-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/3316-283-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/4176-179-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/4176-180-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/4176-168-0x00000000062B0000-0x00000000062E2000-memory.dmp

Filesize
200KB

Download
memory/4176-167-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

Filesize
120KB

Download
memory/4176-164-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/4176-159-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4176-153-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/4176-186-0x0000000007240000-0x000000000724E000-memory.dmp

Filesize
56KB

Download
memory/4176-150-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/4176-187-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/4176-143-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/4176-184-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/4176-140-0x00000000047A0000-0x00000000047D6000-memory.dmp

Filesize
216KB

Download
memory/4176-169-0x0000000070500000-0x000000007054C000-memory.dmp

Filesize
304KB

Download
memory/4176-182-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/4176-183-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/4176-185-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/4176-181-0x000000007F7E0000-0x000000007F7F0000-memory.dmp

Filesize
64KB

Download
memory/4176-188-0x0000000007330000-0x0000000007338000-memory.dmp

Filesize
32KB

Download
memory/4240-138-0x0000000001400000-0x000000000147F000-memory.dmp

Filesize
508KB

Download
memory/4240-146-0x0000000001400000-0x000000000147F000-memory.dmp

Filesize
508KB

Download
memory/4240-152-0x0000000001400000-0x000000000147F000-memory.dmp

Filesize
508KB

Download
memory/4372-277-0x00000000006C0000-0x000000000073F000-memory.dmp

Filesize
508KB

Download
memory/4372-282-0x00000000006C0000-0x000000000073F000-memory.dmp

Filesize
508KB

Download
memory/4420-133-0x0000000000830000-0x0000000000B6C000-memory.dmp

Filesize
3.2MB

Download
memory/4420-134-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/4420-135-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/4420-136-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download