remcos | 4c8ef08c0d896adae8f7f3012b7d7732e8e8950007ba8117a122440bcefcef8a

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-05-2023 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7249a8d317ed6f5bd1e6374f602997ed.docx
Size

10KB
MD5

7249a8d317ed6f5bd1e6374f602997ed
SHA1

5e9e5bb7cb643db46fcf86140a6705a7f23749ec
SHA256

4c8ef08c0d896adae8f7f3012b7d7732e8e8950007ba8117a122440bcefcef8a
SHA512

153b5042335f320a864e57ac30d049b2c5720c6c3d9e2e08d48da00234e335205971db711af2ca42e7ce0779ba81038fb2377f30a764de434ef14966cef885c0
SSDEEP

192:ScIMmtPSi2EG/b/wLGbt0AOK1amWBXZVhhz03aHF:SPXST/0RAOeoJVh2al

Score

10^/10

remcos remotehost collection persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

csc.mastercoa.co:55241

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-444WE8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\fdhfggmmsn\\sfghdjdfvbniop8t.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1780-196-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1780-201-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1780-216-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/896-194-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/896-200-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/896-206-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1780-196-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/896-194-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1020-198-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1020-199-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/896-200-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1780-201-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/896-206-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1780-216-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1692 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1692	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://1835648751/gf/##############################################.doc	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exe20ok.exe

pid process

2044 vbc.exe
1984 20ok.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXEAddInProcess32.exe

pid process

1692 EQNEDT32.EXE
1572 AddInProcess32.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1692	EQNEDT32.EXE
1572	AddInProcess32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

vbc.exeAddInProcess32.exe

description	pid	process	target process
PID 2044 set thread context of 1572	2044	vbc.exe	AddInProcess32.exe
PID 1572 set thread context of 896	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 set thread context of 1780	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 set thread context of 1020	1572	AddInProcess32.exe	AddInProcess32.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1692 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1692	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1492 PING.EXE
808 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1760 WINWORD.EXE

pid	process
1492	PING.EXE
808	PING.EXE

pid	process
1760	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vbc.exe

pid	process
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe
2044	vbc.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

AddInProcess32.exe

pid process

1572 AddInProcess32.exe
1572 AddInProcess32.exe
1572 AddInProcess32.exe
1572 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exeAddInProcess32.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 2044 vbc.exe
Token: SeDebugPrivilege 1020 AddInProcess32.exe
Token: SeShutdownPrivilege 1760 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEAddInProcess32.exe

pid process

1760 WINWORD.EXE
1760 WINWORD.EXE
1572 AddInProcess32.exe

pid	process
1572	AddInProcess32.exe
1572	AddInProcess32.exe
1572	AddInProcess32.exe
1572	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2044	vbc.exe
Token: SeDebugPrivilege	1020	AddInProcess32.exe
Token: SeShutdownPrivilege	1760	WINWORD.EXE

pid	process
1760	WINWORD.EXE
1760	WINWORD.EXE
1572	AddInProcess32.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeAddInProcess32.execmd.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 2044	1692	EQNEDT32.EXE	vbc.exe
PID 1692 wrote to memory of 2044	1692	EQNEDT32.EXE	vbc.exe
PID 1692 wrote to memory of 2044	1692	EQNEDT32.EXE	vbc.exe
PID 1692 wrote to memory of 2044	1692	EQNEDT32.EXE	vbc.exe
PID 1760 wrote to memory of 1860	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1860	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1860	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1860	1760	WINWORD.EXE	splwow64.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 2044 wrote to memory of 1572	2044	vbc.exe	AddInProcess32.exe
PID 1572 wrote to memory of 896	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 896	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 896	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 896	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 896	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1888	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1888	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1888	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1888	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1780	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1780	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1780	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1780	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1780	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1020	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1020	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1020	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1020	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1020	1572	AddInProcess32.exe	AddInProcess32.exe
PID 1572 wrote to memory of 1984	1572	AddInProcess32.exe	20ok.exe
PID 1572 wrote to memory of 1984	1572	AddInProcess32.exe	20ok.exe
PID 1572 wrote to memory of 1984	1572	AddInProcess32.exe	20ok.exe
PID 1572 wrote to memory of 1984	1572	AddInProcess32.exe	20ok.exe
PID 1104 wrote to memory of 1492	1104	cmd.exe	PING.EXE
PID 1104 wrote to memory of 1492	1104	cmd.exe	PING.EXE
PID 1104 wrote to memory of 1492	1104	cmd.exe	PING.EXE
PID 1104 wrote to memory of 1492	1104	cmd.exe	PING.EXE
PID 664 wrote to memory of 808	664	cmd.exe	PING.EXE
PID 664 wrote to memory of 808	664	cmd.exe	PING.EXE
PID 664 wrote to memory of 808	664	cmd.exe	PING.EXE
PID 664 wrote to memory of 808	664	cmd.exe	PING.EXE
PID 1104 wrote to memory of 1672	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 1672	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 1672	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 1672	1104	cmd.exe	reg.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7249a8d317ed6f5bd1e6374f602997ed.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1860

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\fvvmfei"
4⤵
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\qpafgwtjcly"
4⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\qpafgwtjcly"
4⤵
- Accesses Microsoft Outlook accounts
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\srfpypelqtqegv"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\AppData\Local\Temp\20ok.exe
"C:\Users\Admin\AppData\Local\Temp\20ok.exe"
4⤵
- Executes dropped EXE
PID:1984

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 36 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fdhfggmmsn\sfghdjdfvbniop8t.exe,"
5⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 36
6⤵
- Runs ping.exe
PID:1492

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fdhfggmmsn\sfghdjdfvbniop8t.exe,"
6⤵
- Modifies WinLogon for persistence
PID:1672

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\Admin\AppData\Local\Temp\20ok.exe" "C:\Users\Admin\AppData\Roaming\fdhfggmmsn\sfghdjdfvbniop8t.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\Admin\AppData\Roaming\fdhfggmmsn\sfghdjdfvbniop8t.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 49
6⤵
- Runs ping.exe
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
320B

MD5
9a78e64ed4ec802ac092665ff4d983fc

SHA1
7d8c158e9e5d7ede81865809056f1405be441467

SHA256
19c33ee8d67a7e4ed9d639f20bb5a1f44e5e30beaaf77e4ff45887894ea711f4

SHA512
2f592e376ff8a310f1db7f42dc6000e5217403e428c3171651bbcfb18f00d7f6d19d6b95e8149110864ff9cd1e78812ac3be3d8f6e7d4c41141348810a6fa033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
1d74ff0a8f40adf5fcd946cce16952b1

SHA1
2618b8be4108b038698a7b7712c1e966dd3c825d

SHA256
a84f0cd9167392b23d88df4e7f5ea76840dbdb16f953e671214df5ceda912567

SHA512
11045e082fe181422f4532450933a3a7fc0a46604a0c4d360a534e8cbaedfa4f5d18f5181940f49bd2423acc7d25fc8de71158dc7a082cb7b55749d0a00d2366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4F69F92E-AAD9-4096-B639-C8D0CEA4312C}.FSD
Filesize
128KB

MD5
809cd3eea658076d3a2c08613b226716

SHA1
da933e552c2b7fc19bbadab35127003860d0f3cd

SHA256
414f355f988b3ae58a2aa79451c9d05181d63c2ab37cd5535523f97c09fea6b7

SHA512
188af3adf330a23ab58043ef364128db5966782cff35560b4aa062293e4bcddd25e440022c4fa66d9890a9cf6a255e2fc82c83e08077332f7d868d9ca237975b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\##############################################[1].doc
Filesize
22KB

MD5
54e110633d9eab07a128d77a2983d306

SHA1
ed8ad3d9cf7941cd3d3f5c585ba534dbe050a5af

SHA256
904be1f7a689b97de339c54ded763b7dc26acb941fee56e585aa9e6350f65f17

SHA512
771dd723f00d96910548a0d4a39a89914dc118ae6e4859373993bd6f117e9db191b477660a6898b05a9d9fe8d1d959fe712f53b6869dcfaeced9206950d32c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\20ok.exe
Filesize
1.8MB

MD5
611e1fc8100044d0c7b4e8c194fe7cee

SHA1
a5131201b03969e007928fc21a3465c149824569

SHA256
77849aab387e345adfe8564247e7e8a44b00991a748387054ac6c534880cdfb1

SHA512
05044d8f0fe25bd1d14ef03c9b0efce2e2478cc2910c9c15ee6088fdf50c47ad353339a6abb4dbf4210f202cc50bb5c5cf6deb6ee5ca87211a6b4524fb200cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvvmfei
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvvmfei
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4A5F7A84-D80E-44D2-9459-E97E2BBD0286}
Filesize
128KB

MD5
75bc3d3af2b0162d618da5600f724e73

SHA1
e876608db5486cd8424533ea4fb5ca3d92c83dbc

SHA256
e77043b12f164c2b92e56b664b0e11ca4c89cb77207b3ff3f8ee42591d08bc11

SHA512
66f412338e3fb0141ba7e03d81957bb8f4fbd5652ef5205b12032640eefc4f4c2e7c238fa6a130bd26e9fb1f75df71d58b12aae20d80cfd290bc094b095a4a22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
e3e75650a67fd858ef2e06349bf6506f

SHA1
82b29e1146cf3f67566c5cd1cf14575760a7f0e4

SHA256
98092332b3ed6f6ecf0981b5816fe560224a1e52c50e864863992b17d28d64fe

SHA512
534defd166f643eaad470ca9e4e71b2dad2fe7117e3f4b0fe005191dca0a5019e8fb991de6c8f382cf122043cf8a92008184fb2900eb7ddab1b152c74dda28f1

Download Submit
C:\Users\Public\vbc.exe
Filesize
2.4MB

MD5
2c3948b46ad3f0972c57d86e00fe3ef0

SHA1
81cba7a7dd95391c34453f3dcf46639d273522b7

SHA256
a90db92cdebc3d71dfae9a9dfe1447b629db2724fd093d22e8f53e7aeab26a74

SHA512
10eabc8112c86ee850990ad21eb27e26f98914dfa71bf6ba744a1e1aa5cc74b82054ded9089070d2501f798cb03da25be3b531af3fa3af6b00927c19867f0601

Download Submit
C:\Users\Public\vbc.exe
Filesize
2.4MB

MD5
2c3948b46ad3f0972c57d86e00fe3ef0

SHA1
81cba7a7dd95391c34453f3dcf46639d273522b7

SHA256
a90db92cdebc3d71dfae9a9dfe1447b629db2724fd093d22e8f53e7aeab26a74

SHA512
10eabc8112c86ee850990ad21eb27e26f98914dfa71bf6ba744a1e1aa5cc74b82054ded9089070d2501f798cb03da25be3b531af3fa3af6b00927c19867f0601

Download Submit
C:\Users\Public\vbc.exe
Filesize
2.4MB

MD5
2c3948b46ad3f0972c57d86e00fe3ef0

SHA1
81cba7a7dd95391c34453f3dcf46639d273522b7

SHA256
a90db92cdebc3d71dfae9a9dfe1447b629db2724fd093d22e8f53e7aeab26a74

SHA512
10eabc8112c86ee850990ad21eb27e26f98914dfa71bf6ba744a1e1aa5cc74b82054ded9089070d2501f798cb03da25be3b531af3fa3af6b00927c19867f0601

Download Submit
\Users\Admin\AppData\Local\Temp\20ok.exe
Filesize
1.8MB

MD5
611e1fc8100044d0c7b4e8c194fe7cee

SHA1
a5131201b03969e007928fc21a3465c149824569

SHA256
77849aab387e345adfe8564247e7e8a44b00991a748387054ac6c534880cdfb1

SHA512
05044d8f0fe25bd1d14ef03c9b0efce2e2478cc2910c9c15ee6088fdf50c47ad353339a6abb4dbf4210f202cc50bb5c5cf6deb6ee5ca87211a6b4524fb200cce

Download Submit
\Users\Public\vbc.exe
Filesize
2.4MB

MD5
2c3948b46ad3f0972c57d86e00fe3ef0

SHA1
81cba7a7dd95391c34453f3dcf46639d273522b7

SHA256
a90db92cdebc3d71dfae9a9dfe1447b629db2724fd093d22e8f53e7aeab26a74

SHA512
10eabc8112c86ee850990ad21eb27e26f98914dfa71bf6ba744a1e1aa5cc74b82054ded9089070d2501f798cb03da25be3b531af3fa3af6b00927c19867f0601

Download Submit
memory/896-206-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/896-185-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/896-200-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/896-194-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/896-188-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1020-199-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1020-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1020-197-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1020-192-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-156-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-215-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-164-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1572-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-287-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-286-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-178-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-183-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-267-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-266-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-222-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1572-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-221-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-220-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1572-217-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1572-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-163-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1760-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1760-257-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1780-187-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1780-189-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1780-201-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1780-196-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1780-193-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1780-216-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2044-146-0x0000000000260000-0x0000000000278000-memory.dmp

Filesize
96KB

Download
memory/2044-158-0x00000000058A0000-0x00000000058E0000-memory.dmp

Filesize
256KB

Download
memory/2044-154-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2044-145-0x00000000002C0000-0x000000000030A000-memory.dmp

Filesize
296KB

Download
memory/2044-143-0x00000000058A0000-0x00000000058E0000-memory.dmp

Filesize
256KB

Download
memory/2044-147-0x00000000058A0000-0x00000000058E0000-memory.dmp

Filesize
256KB

Download
memory/2044-142-0x0000000001210000-0x0000000001472000-memory.dmp

Filesize
2.4MB

Download
memory/2044-152-0x00000000058A0000-0x00000000058E0000-memory.dmp

Filesize
256KB

Download
memory/2044-153-0x0000000000550000-0x000000000056A000-memory.dmp

Filesize
104KB

Download
memory/2044-166-0x00000000058A0000-0x00000000058E0000-memory.dmp

Filesize
256KB

Download
memory/2044-165-0x00000000058A0000-0x00000000058E0000-memory.dmp

Filesize
256KB

Download