remcos | 986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
Size

1.6MB
MD5

f4a936f84d8916968c7373204b8ae63f
SHA1

6b98a8f443329a2d532ec53613898f99e2a0b6ef
SHA256

986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383
SHA512

97fe86f5a16c6190601f19ab796a6e319131d3697e9915008367aa584371369a51404679eebabb1847309dda9a68a315eed3cbb0688225870f23bdfed9e7a133
SSDEEP

49152:5dPQwh6G//OyxCjRW/iHIteZMqbRDENiPw3FTFX:j3h6d68gwIteZNiiPwVpX

Score

10^/10

remcos xred abillion+naira backdoor discovery execution persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Botnet

ABILLION+NAIRA

nzobaku.ddns.net:8081

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S0L1LJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
2620	powershell.exe
1336	powershell.exe
1252	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
300	._cache_986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
1516	Synaptics.exe
2316	Synaptics.exe
1796	Synaptics.exe
1604	Synaptics.exe
1768	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
1604	Synaptics.exe
1604	Synaptics.exe
1604	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1516 set thread context of 1604	1516	Synaptics.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2264	schtasks.exe
2460	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2024	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
2620	powershell.exe
2740	powershell.exe
1516	Synaptics.exe
1516	Synaptics.exe
1516	Synaptics.exe
1516	Synaptics.exe
1336	powershell.exe
1252	powershell.exe
1516	Synaptics.exe
1516	Synaptics.exe
1516	Synaptics.exe
1516	Synaptics.exe
1516	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	1516	Synaptics.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
300	._cache_986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
2024	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2740	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	30
PID 1976 wrote to memory of 2740	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	30
PID 1976 wrote to memory of 2740	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	30
PID 1976 wrote to memory of 2740	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	30
PID 1976 wrote to memory of 2620	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	32
PID 1976 wrote to memory of 2620	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	32
PID 1976 wrote to memory of 2620	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	32
PID 1976 wrote to memory of 2620	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	32
PID 1976 wrote to memory of 2264	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	34
PID 1976 wrote to memory of 2264	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	34
PID 1976 wrote to memory of 2264	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	34
PID 1976 wrote to memory of 2264	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	34
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1976 wrote to memory of 1948	1976	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	36
PID 1948 wrote to memory of 300	1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	37
PID 1948 wrote to memory of 300	1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	37
PID 1948 wrote to memory of 300	1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	37
PID 1948 wrote to memory of 300	1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	37
PID 1948 wrote to memory of 1516	1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	38
PID 1948 wrote to memory of 1516	1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	38
PID 1948 wrote to memory of 1516	1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	38
PID 1948 wrote to memory of 1516	1948	986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe	38
PID 1516 wrote to memory of 1336	1516	Synaptics.exe	39
PID 1516 wrote to memory of 1336	1516	Synaptics.exe	39
PID 1516 wrote to memory of 1336	1516	Synaptics.exe	39
PID 1516 wrote to memory of 1336	1516	Synaptics.exe	39
PID 1516 wrote to memory of 1252	1516	Synaptics.exe	41
PID 1516 wrote to memory of 1252	1516	Synaptics.exe	41
PID 1516 wrote to memory of 1252	1516	Synaptics.exe	41
PID 1516 wrote to memory of 1252	1516	Synaptics.exe	41
PID 1516 wrote to memory of 2460	1516	Synaptics.exe	43
PID 1516 wrote to memory of 2460	1516	Synaptics.exe	43
PID 1516 wrote to memory of 2460	1516	Synaptics.exe	43
PID 1516 wrote to memory of 2460	1516	Synaptics.exe	43
PID 1516 wrote to memory of 2316	1516	Synaptics.exe	45
PID 1516 wrote to memory of 2316	1516	Synaptics.exe	45
PID 1516 wrote to memory of 2316	1516	Synaptics.exe	45
PID 1516 wrote to memory of 2316	1516	Synaptics.exe	45
PID 1516 wrote to memory of 1796	1516	Synaptics.exe	46
PID 1516 wrote to memory of 1796	1516	Synaptics.exe	46
PID 1516 wrote to memory of 1796	1516	Synaptics.exe	46
PID 1516 wrote to memory of 1796	1516	Synaptics.exe	46
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47
PID 1516 wrote to memory of 1604	1516	Synaptics.exe	47

C:\Users\Admin\AppData\Local\Temp\986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
"C:\Users\Admin\AppData\Local\Temp\986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8565.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
  "C:\Users\Admin\AppData\Local\Temp\986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\._cache_986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:300
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1252
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA58.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2460
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:2316
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:1796
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:1768

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
f4a936f84d8916968c7373204b8ae63f

SHA1
6b98a8f443329a2d532ec53613898f99e2a0b6ef

SHA256
986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383

SHA512
97fe86f5a16c6190601f19ab796a6e319131d3697e9915008367aa584371369a51404679eebabb1847309dda9a68a315eed3cbb0688225870f23bdfed9e7a133

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
d2729355fb298d465c649c8f8b576a7b

SHA1
207010095542731747106f882b93067c6355f824

SHA256
8c38b8f5b2ff0dd4a19e36541aee28afb9bb21ed6d300ee2b13eb832f965c45d

SHA512
7541ad65cdbbd636c46bb7f932cb8a12bc86c72807fd0b1be962ca2d6515e9090cd466a104bc55c1dda40b53b547af8c153d37a11dc9742201c5af8702936755

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_986ecce2a6a989bacd39a4c89770ff42976919b2884d3e68e0ef2af2974d3383.exe

Filesize
483KB

MD5
f3b57ccad1c0a308635e17aa591e4038

SHA1
ca67ad3c74523b844fc23563f7b288f0389fd645

SHA256
5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

SHA512
5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWCRqC3n.xlsm

Filesize
26KB

MD5
c275f869145f938f925a44608d5869bc

SHA1
29c24e9f82b114e737fabcc8a3fa5ebd0e49e436

SHA256
1bcab6a5cf9083df0af23670b1ba21723e0941db8a5aee715fae5bf0579e0701

SHA512
53cd667a2448beee882edf9a70bb7013ec422f466fdff891946981f95ea4ad0eb05d5dd552335878dd35c34ff1efec933389eae32315d617be822287e4bbff7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWCRqC3n.xlsm

Filesize
32KB

MD5
875b11898cd4ebab3c3feece016d3537

SHA1
1a15306bf7d513617b36d10b8ec32e800c9d0610

SHA256
1b7209ea324f2b0e4504c5ad0bbe0f647d42948c4836756526776ca6d7e7bf0a

SHA512
748bad4ae6d7872716b70d737750c7bca3bad31d9a0e9a0edcf272bde1349e139ada2d240681b2626279740e0b588ccdc2ec18f27fc4970ca27c9b5045ad432d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWCRqC3n.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWCRqC3n.xlsm

Filesize
32KB

MD5
66a5e0f03a0f5be50c419fc8a0694554

SHA1
6ac3a7d90c33e969a89e64b92d629aad698a82b8

SHA256
617a5d223aa74d902e31a87b8a98f79e9d10bfe08ffbc88f41538b5821695c50

SHA512
6a873fb250496749b1022d898da1ebedf5b64af831d07aec732b3be43b67106bbc56c0ae3e9a36d6a6a9b6531f3c05bcc7793ed40e8e3d81ce02859594877c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWCRqC3n.xlsm

Filesize
28KB

MD5
b015530c77726448b6b8980cda8902ed

SHA1
949b3c71797b965f71381aa951a966ac600846cf

SHA256
4263462ce38fe57519ed607d371dfc1f24f80a315344ba92720b7c58d617ab22

SHA512
99745c528864c8e0e880110bc5f7fafd8013747cc352cb43c750e92a8d19436f893c53a085bfbd929ae5b2ca213195888ba34396ff9f651e93f978922a29f69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8565.tmp

Filesize
1KB

MD5
01d22a7de1d30bc58c67f53236453099

SHA1
558fa8e714e605ad0855681c4c0c3e0e4b54a1a5

SHA256
970e0796054e994c7a7126fd9641f737aeaa4d3d027c65fb5f21dbaacdec81eb

SHA512
d8fb5c4b9ff216abb9094d8bd9bf5cf5afc8ac0f98bd0282d4c871bdd7e7083de3644437bf323ed03365799d3073154401baf7284296efa39d7638729662dd4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ccc568929df73a3b4937f93262f5acb8

SHA1
f00d4ee1dab96f350db203498c4c7e0adbc571f5

SHA256
d1589307301306241dd347217f38c4d97e631bfb4b9e6214521a3515d4a33127

SHA512
418c40bda097dde09e419f64de2746f1a98ccf3cc46871d27c5b260625e01b8e2557d5bd8ffdbb853dd661890b89e1597323c65e454eb295021b6ddca0c20294

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a0f0a4d2ebb463b5d9598e67389b2c03

SHA1
6eeb321766892db53712f87d90af1e3621abc406

SHA256
00357e7337fa5f6ea4a92461bdcb22bb9e4b046dbb68793d3dfc3ca7112e9bb9

SHA512
6b2b27ddd793486cefff52d83e55e37c0241ea2a02e1c304560098e551bd4bffe991ca13ebe2c2f8e4d8114dd85746f4e372672e818085bdbc5cfcdb68e1aebd

Download Submit
C:\Users\Admin\Downloads\~$DebugCopy.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1516-58-0x0000000000F30000-0x00000000010D6000-memory.dmp

Filesize
1.6MB

Download
memory/1604-187-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1604-94-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1604-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1604-188-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1604-191-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1604-232-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-21-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-34-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-19-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-23-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-25-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-27-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-29-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-31-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1948-35-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1976-38-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-0-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

Filesize
4KB

Download
memory/1976-6-0x0000000005090000-0x000000000520E000-memory.dmp

Filesize
1.5MB

Download
memory/1976-5-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-4-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

Filesize
4KB

Download
memory/1976-3-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/1976-2-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-1-0x00000000010B0000-0x0000000001256000-memory.dmp

Filesize
1.6MB

Download
memory/2024-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download