remcos | 46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/12/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62f928.msi
Size

2.8MB
MD5

a2a7ff35bd33480418bd39e0832d0875
SHA1

8cd2ec2310b1240ffa9944631c409e658cea03a7
SHA256

46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54
SHA512

20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c
SSDEEP

49152:IiSoOl+YyNuCClJkqwhmsl5aBZJnxsTKHgX7Gu0ojmWS8MqIugHt:It7+YJCCvkEsloxTHZojmWhDg

Score

10^/10

remcos teddy discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

Teddy

adminitpal.com:8080

adminitpal.com:443

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
5
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
putty
mouse_option
false
mutex
tRvr-YKFHJK
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Putty
screenshot_path
%AppData%
screenshot_time
1
startup_value
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;chrome;edge;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 4576	3408	ManyCam.exe	107

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{9C7064B9-89ED-41DD-86B6-540DFCC59041}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBDB.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cad4.msi	msiexec.exe
File created	C:\Windows\Installer\e57cad2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cad2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4408	ManyCam.exe
3408	ManyCam.exe

Loads dropped DLL 19 IoCs

pid	Process
4408	ManyCam.exe
4408	ManyCam.exe
4408	ManyCam.exe
4408	ManyCam.exe
4408	ManyCam.exe
4408	ManyCam.exe
4408	ManyCam.exe
4408	ManyCam.exe
4408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
888	Demowordpad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3772	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Demowordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3596	msiexec.exe
3596	msiexec.exe
4408	ManyCam.exe
3408	ManyCam.exe
3408	ManyCam.exe
4576	cmd.exe
4576	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3408	ManyCam.exe
4576	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3772	msiexec.exe
Token: SeSecurityPrivilege	3596	msiexec.exe
Token: SeCreateTokenPrivilege	3772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3772	msiexec.exe
Token: SeLockMemoryPrivilege	3772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3772	msiexec.exe
Token: SeMachineAccountPrivilege	3772	msiexec.exe
Token: SeTcbPrivilege	3772	msiexec.exe
Token: SeSecurityPrivilege	3772	msiexec.exe
Token: SeTakeOwnershipPrivilege	3772	msiexec.exe
Token: SeLoadDriverPrivilege	3772	msiexec.exe
Token: SeSystemProfilePrivilege	3772	msiexec.exe
Token: SeSystemtimePrivilege	3772	msiexec.exe
Token: SeProfSingleProcessPrivilege	3772	msiexec.exe
Token: SeIncBasePriorityPrivilege	3772	msiexec.exe
Token: SeCreatePagefilePrivilege	3772	msiexec.exe
Token: SeCreatePermanentPrivilege	3772	msiexec.exe
Token: SeBackupPrivilege	3772	msiexec.exe
Token: SeRestorePrivilege	3772	msiexec.exe
Token: SeShutdownPrivilege	3772	msiexec.exe
Token: SeDebugPrivilege	3772	msiexec.exe
Token: SeAuditPrivilege	3772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3772	msiexec.exe
Token: SeChangeNotifyPrivilege	3772	msiexec.exe
Token: SeRemoteShutdownPrivilege	3772	msiexec.exe
Token: SeUndockPrivilege	3772	msiexec.exe
Token: SeSyncAgentPrivilege	3772	msiexec.exe
Token: SeEnableDelegationPrivilege	3772	msiexec.exe
Token: SeManageVolumePrivilege	3772	msiexec.exe
Token: SeImpersonatePrivilege	3772	msiexec.exe
Token: SeCreateGlobalPrivilege	3772	msiexec.exe
Token: SeBackupPrivilege	4428	vssvc.exe
Token: SeRestorePrivilege	4428	vssvc.exe
Token: SeAuditPrivilege	4428	vssvc.exe
Token: SeBackupPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3772	msiexec.exe
3772	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
888	Demowordpad.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1164	3596	msiexec.exe	92
PID 3596 wrote to memory of 1164	3596	msiexec.exe	92
PID 3596 wrote to memory of 4408	3596	msiexec.exe	96
PID 3596 wrote to memory of 4408	3596	msiexec.exe	96
PID 3596 wrote to memory of 4408	3596	msiexec.exe	96
PID 4408 wrote to memory of 456	4408	ManyCam.exe	98
PID 4408 wrote to memory of 456	4408	ManyCam.exe	98
PID 4408 wrote to memory of 3408	4408	ManyCam.exe	101
PID 4408 wrote to memory of 3408	4408	ManyCam.exe	101
PID 4408 wrote to memory of 3408	4408	ManyCam.exe	101
PID 3408 wrote to memory of 1544	3408	ManyCam.exe	102
PID 3408 wrote to memory of 1544	3408	ManyCam.exe	102
PID 3408 wrote to memory of 4576	3408	ManyCam.exe	107
PID 3408 wrote to memory of 4576	3408	ManyCam.exe	107
PID 3408 wrote to memory of 4576	3408	ManyCam.exe	107
PID 3408 wrote to memory of 4576	3408	ManyCam.exe	107
PID 4576 wrote to memory of 888	4576	cmd.exe	115
PID 4576 wrote to memory of 888	4576	cmd.exe	115
PID 4576 wrote to memory of 888	4576	cmd.exe	115
PID 4576 wrote to memory of 888	4576	cmd.exe	115
PID 4576 wrote to memory of 888	4576	cmd.exe	115
PID 4576 wrote to memory of 888	4576	cmd.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\62f928.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Local\Regma\ManyCam.exe
  "C:\Users\Admin\AppData\Local\Regma\ManyCam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\system32\pcaui.exe
    "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Regma\ManyCam.exe"
    3⤵
    PID:456
- - C:\Users\Admin\AppData\Roaming\SyncvalidKil3\ManyCam.exe
    C:\Users\Admin\AppData\Roaming\SyncvalidKil3\ManyCam.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\SyncvalidKil3\ManyCam.exe"
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\Demowordpad.exe
        
        C:\Users\Admin\AppData\Local\Temp\Demowordpad.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cad3.rbs

Filesize
9KB

MD5
00b0e00510ba5bebe881461105bdda66

SHA1
2e2fc090c0777bfccef0937a6ebeb04d1c3974c3

SHA256
c2ebb9c4189d97d940221a4e53e13ce3a2abe4121d451a3d5764434145ad1e1a

SHA512
0c44c8d9e96e441936ba1e70bf6747b8f122519a3efde077a9d973bc0552997e0c453c7d6608975e65dfb99ae19a14980bfff477b8bf0582c7793e4064f31529

Download Submit
C:\ProgramData\putty\logs.dat

Filesize
184B

MD5
fdebbe1299abb2b372fd4585805fc66e

SHA1
e461d79523757cf1a9102bd5e1bf6fab29143204

SHA256
db4650c8219bf7ac4398d5e0170be79b2d59f6ccd66999e2257c9da3fa951044

SHA512
72ae7ed5f0d5b6d1cb2db44c09a45e30f07c5fdc9c4ff29f6cd0a090045d9e228741a3785fbb8603a9cf946ea273ecd003482c1c0f714dd9b91a1171171e7198

Download Submit
C:\Users\Admin\AppData\Local\Regma\CrashRpt.dll

Filesize
121KB

MD5
b2d1f5e4a1f0e8d85f0a8aeb7b8148c7

SHA1
871078213fcc0ce143f518bd69caa3156b385415

SHA256
c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386

SHA512
1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

Download Submit
C:\Users\Admin\AppData\Local\Regma\ManyCam.exe

Filesize
1.7MB

MD5
ba699791249c311883baa8ce3432703b

SHA1
f8734601f9397cb5ebb8872af03f5b0639c2eac6

SHA256
7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

SHA512
6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

Download Submit
C:\Users\Admin\AppData\Local\Regma\cv099.dll

Filesize
664KB

MD5
2a8b33fee2f84490d52a3a7c75254971

SHA1
16ce2b1632a17949b92ce32a6211296fee431dca

SHA256
faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

SHA512
8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

Download Submit
C:\Users\Admin\AppData\Local\Regma\cxcore099.dll

Filesize
908KB

MD5
60ad2fc365dc3de0ce1fd191acc6a0b0

SHA1
8c85bf1b8734b150cf2afdfe64c1227dbef25393

SHA256
cf58a2f246d7d081986b44b14abc810c256c4f594738659e522476bcd7977d8c

SHA512
65b093547569a4c06028ec723be3d562102153741bd71a0dc6a16a2e96d56cb2101f5d1ebeddb235c570a12ec5834aa5f8529bf446dfc31f677d6150319bf65b

Download Submit
C:\Users\Admin\AppData\Local\Regma\cximagecrt.dll

Filesize
487KB

MD5
c36f6e088c6457a43adb7edcd17803f3

SHA1
b25b9fb4c10b8421c8762c7e7b3747113d5702de

SHA256
8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

SHA512
87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

Download Submit
C:\Users\Admin\AppData\Local\Regma\dbghelp.dll

Filesize
478KB

MD5
e458d88c71990f545ef941cd16080bad

SHA1
cd24ccec2493b64904cf3c139cd8d58d28d5993b

SHA256
5ec121730240548a85b7ef1f7e30d5fdbee153bb20dd92c2d44bf37395294ec0

SHA512
b1755e3db10b1d12d6eaffd1d91f5ca5e0f9f8ae1350675bc44ae7a4af4a48090a9828a8acbbc69c5813eac23e02576478113821cb2e04b6288e422f923b446f

Download Submit
C:\Users\Admin\AppData\Local\Regma\highgui099.dll

Filesize
388KB

MD5
a354c42fcb37a50ecad8dde250f6119e

SHA1
0eb4ad5e90d28a4a8553d82cec53072279af1961

SHA256
89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

SHA512
981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

Download Submit
C:\Users\Admin\AppData\Local\Regma\sobrt

Filesize
51KB

MD5
5ba0e4ef5bb61db3b1554a108118ed45

SHA1
1004db2678baa94e1a9f99e767673514b0122a21

SHA256
d26373617c8ef46daa7482688b17ae8153a633ea2fe75053282f0f4308903f57

SHA512
62b43ecc1dc6f5d58283b164278b01fe5fb00963d712d3d4ed5b97fcb22c7c46010142ffe65c2df74b80edd6e48754fddf446f23dc28787dc008e156d3f54b3c

Download Submit
C:\Users\Admin\AppData\Local\Regma\xtda

Filesize
1.1MB

MD5
7910d6147f32875538e6d887c32522ed

SHA1
50f9a0a38b87f48c655ab45de0e25637f070e12d

SHA256
45d1882a8df64a9fa624cd4538bb17161633ae66a5c4d0aea7d2f17a274a6416

SHA512
2de6830a7b9fcf8e6ed08c870bd531705f8094f79205761606b40655b75686205871aa92968b5e2568afd741f2a09363efbd296304c61beddce3ffd15e1de742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Demowordpad.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa94a0cc

Filesize
1.6MB

MD5
796825b17025c97a48bb3540b091a701

SHA1
98ec7bae6a9c35799b2f3d8e26be6518c7037909

SHA256
0ae8a95d3f17817461fff009b5b54bca432964ba7ce646ce70cec6b0e9e74935

SHA512
33a1ccf3a6196d0403c95bf6a37bb5ca37c5cbd6a44fd6c2bf0e55031ca7df872dd2028217dc1696f34d0111c613637f5c2d9753f517ab18039476d2acec186e

Download Submit
C:\Windows\Installer\e57cad2.msi

Filesize
2.8MB

MD5
a2a7ff35bd33480418bd39e0832d0875

SHA1
8cd2ec2310b1240ffa9944631c409e658cea03a7

SHA256
46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

SHA512
20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
5958c96ef7339cc9724b84b4973837a4

SHA1
03292b89afa613a15d629a9c2f392a742aaa93ae

SHA256
19e38e7b90a4ec479f1b6ca67d1e19297847e1571c7962d519d66ebda22fb194

SHA512
924eaa14274c0535b70e862c9132eea67434b113f0af2ba70fbd784ecd8b8bfbd7e7f612cec90b13f6fdd4c8a652c41c3a1b6c4915cd19e90b85b783674865ac

Download Submit
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{89656dee-bc2e-488d-b314-b5647be8a2f1}_OnDiskSnapshotProp

Filesize
6KB

MD5
c79b57db5aece3194cb1a2938c2308ec

SHA1
c6ee5f05ec2b266226fbca6ea2fae45c7880ade8

SHA256
516705deee1a946577b838d1897a0101abc6ba1b715788458705c88c37dc7734

SHA512
ff9375d22cee61a28d51e005f67dbf734bdd65a38f7cc4a3de680578a806f10dfe9c09d5c8cdde5fc2ff34e919e9da9d2cb72b003cf0ed7049dd5ead703c01d9

Download Submit
memory/888-118-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/888-134-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/888-121-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/888-127-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/888-124-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/888-115-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/888-110-0x00007FF927810000-0x00007FF927A05000-memory.dmp

Filesize
2.0MB

Download
memory/888-130-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/888-140-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/888-137-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3408-88-0x0000000001C10000-0x0000000001CFC000-memory.dmp

Filesize
944KB

Download
memory/3408-97-0x00000000742D0000-0x000000007444B000-memory.dmp

Filesize
1.5MB

Download
memory/3408-96-0x00007FF927810000-0x00007FF927A05000-memory.dmp

Filesize
2.0MB

Download
memory/3408-95-0x00000000742D0000-0x000000007444B000-memory.dmp

Filesize
1.5MB

Download
memory/3408-91-0x0000000001D00000-0x0000000001DAD000-memory.dmp

Filesize
692KB

Download
memory/3408-85-0x0000000001BA0000-0x0000000001C02000-memory.dmp

Filesize
392KB

Download
memory/4408-53-0x0000000000B90000-0x0000000000BF2000-memory.dmp

Filesize
392KB

Download
memory/4408-50-0x0000000000D20000-0x0000000000DCD000-memory.dmp

Filesize
692KB

Download
memory/4408-47-0x0000000000C30000-0x0000000000D1C000-memory.dmp

Filesize
944KB

Download
memory/4408-59-0x00007FF927810000-0x00007FF927A05000-memory.dmp

Filesize
2.0MB

Download
memory/4408-58-0x00000000742D0000-0x000000007444B000-memory.dmp

Filesize
1.5MB

Download
memory/4576-103-0x00000000742D0000-0x000000007444B000-memory.dmp

Filesize
1.5MB

Download
memory/4576-100-0x00007FF927810000-0x00007FF927A05000-memory.dmp

Filesize
2.0MB

Download