remcos | 46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54.msi
Size

2.8MB
MD5

a2a7ff35bd33480418bd39e0832d0875
SHA1

8cd2ec2310b1240ffa9944631c409e658cea03a7
SHA256

46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54
SHA512

20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c
SSDEEP

49152:IiSoOl+YyNuCClJkqwhmsl5aBZJnxsTKHgX7Gu0ojmWS8MqIugHt:It7+YJCCvkEsloxTHZojmWhDg

Score

10^/10

remcos teddy discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

Teddy

adminitpal.com:8080

adminitpal.com:443

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
5
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
putty
mouse_option
false
mutex
tRvr-YKFHJK
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Putty
screenshot_path
%AppData%
screenshot_time
1
startup_value
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;chrome;edge;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 4156	2448	ManyCam.exe	100

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57efff.msi	msiexec.exe
File created	C:\Windows\Installer\e57effd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57effd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9C7064B9-89ED-41DD-86B6-540DFCC59041}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF0A9.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4580	ManyCam.exe
2448	ManyCam.exe

Loads dropped DLL 19 IoCs

pid	Process
4580	ManyCam.exe
4580	ManyCam.exe
4580	ManyCam.exe
4580	ManyCam.exe
4580	ManyCam.exe
4580	ManyCam.exe
4580	ManyCam.exe
4580	ManyCam.exe
4580	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
2132	Demowordpad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4376	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ManyCam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Demowordpad.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2644	msiexec.exe
2644	msiexec.exe
4580	ManyCam.exe
2448	ManyCam.exe
2448	ManyCam.exe
4156	cmd.exe
4156	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2448	ManyCam.exe
4156	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4376	msiexec.exe
Token: SeSecurityPrivilege	2644	msiexec.exe
Token: SeCreateTokenPrivilege	4376	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4376	msiexec.exe
Token: SeLockMemoryPrivilege	4376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4376	msiexec.exe
Token: SeMachineAccountPrivilege	4376	msiexec.exe
Token: SeTcbPrivilege	4376	msiexec.exe
Token: SeSecurityPrivilege	4376	msiexec.exe
Token: SeTakeOwnershipPrivilege	4376	msiexec.exe
Token: SeLoadDriverPrivilege	4376	msiexec.exe
Token: SeSystemProfilePrivilege	4376	msiexec.exe
Token: SeSystemtimePrivilege	4376	msiexec.exe
Token: SeProfSingleProcessPrivilege	4376	msiexec.exe
Token: SeIncBasePriorityPrivilege	4376	msiexec.exe
Token: SeCreatePagefilePrivilege	4376	msiexec.exe
Token: SeCreatePermanentPrivilege	4376	msiexec.exe
Token: SeBackupPrivilege	4376	msiexec.exe
Token: SeRestorePrivilege	4376	msiexec.exe
Token: SeShutdownPrivilege	4376	msiexec.exe
Token: SeDebugPrivilege	4376	msiexec.exe
Token: SeAuditPrivilege	4376	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4376	msiexec.exe
Token: SeChangeNotifyPrivilege	4376	msiexec.exe
Token: SeRemoteShutdownPrivilege	4376	msiexec.exe
Token: SeUndockPrivilege	4376	msiexec.exe
Token: SeSyncAgentPrivilege	4376	msiexec.exe
Token: SeEnableDelegationPrivilege	4376	msiexec.exe
Token: SeManageVolumePrivilege	4376	msiexec.exe
Token: SeImpersonatePrivilege	4376	msiexec.exe
Token: SeCreateGlobalPrivilege	4376	msiexec.exe
Token: SeBackupPrivilege	4084	vssvc.exe
Token: SeRestorePrivilege	4084	vssvc.exe
Token: SeAuditPrivilege	4084	vssvc.exe
Token: SeBackupPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe
Token: SeTakeOwnershipPrivilege	2644	msiexec.exe
Token: SeRestorePrivilege	2644	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4376	msiexec.exe
4376	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2132	Demowordpad.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 4744	2644	msiexec.exe	87
PID 2644 wrote to memory of 4744	2644	msiexec.exe	87
PID 2644 wrote to memory of 4580	2644	msiexec.exe	89
PID 2644 wrote to memory of 4580	2644	msiexec.exe	89
PID 2644 wrote to memory of 4580	2644	msiexec.exe	89
PID 4580 wrote to memory of 2840	4580	ManyCam.exe	90
PID 4580 wrote to memory of 2840	4580	ManyCam.exe	90
PID 4580 wrote to memory of 2448	4580	ManyCam.exe	96
PID 4580 wrote to memory of 2448	4580	ManyCam.exe	96
PID 4580 wrote to memory of 2448	4580	ManyCam.exe	96
PID 2448 wrote to memory of 4940	2448	ManyCam.exe	97
PID 2448 wrote to memory of 4940	2448	ManyCam.exe	97
PID 2448 wrote to memory of 4156	2448	ManyCam.exe	100
PID 2448 wrote to memory of 4156	2448	ManyCam.exe	100
PID 2448 wrote to memory of 4156	2448	ManyCam.exe	100
PID 2448 wrote to memory of 4156	2448	ManyCam.exe	100
PID 4156 wrote to memory of 2132	4156	cmd.exe	105
PID 4156 wrote to memory of 2132	4156	cmd.exe	105
PID 4156 wrote to memory of 2132	4156	cmd.exe	105
PID 4156 wrote to memory of 2132	4156	cmd.exe	105
PID 4156 wrote to memory of 2132	4156	cmd.exe	105
PID 4156 wrote to memory of 2132	4156	cmd.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4744
- C:\Users\Admin\AppData\Local\Regma\ManyCam.exe
  "C:\Users\Admin\AppData\Local\Regma\ManyCam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\system32\pcaui.exe
    "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Regma\ManyCam.exe"
    3⤵
    PID:2840
- - C:\Users\Admin\AppData\Roaming\SyncvalidKil3\ManyCam.exe
    C:\Users\Admin\AppData\Roaming\SyncvalidKil3\ManyCam.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {bce4b583-343f-44b8-8f95-9f76104077b9} -a "ManyCam" -v "ManyCam LLC" -s "To work properly, this app must be reinstalled after you upgrade Windows." -n 4 -f 0 -k 0 -e "C:\Users\Admin\AppData\Roaming\SyncvalidKil3\ManyCam.exe"
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\Demowordpad.exe
        
        C:\Users\Admin\AppData\Local\Temp\Demowordpad.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57effe.rbs

Filesize
9KB

MD5
dd77ca89df38bbc78bd2632e1fcd9649

SHA1
7d40505e62aab41cf019e90dbd0af115ef74a66a

SHA256
a11ba7af5c3b50e65e57e8293917eac6454abb110b84e1b83050afd59708633e

SHA512
19591e32d42957b6140c82871da7299c4930f682ca33c535b20a8827f31e52c2c929dc3bede98b8f802e615986202187707743ddc5d8a47ee3dcd49e87332f82

Download Submit
C:\ProgramData\putty\logs.dat

Filesize
184B

MD5
5169ed33ba7e33ad8620f23114616a55

SHA1
a649a23f1e5bc892244bc7d4d3abd0f3570b80ec

SHA256
0290c94d8f849aff192afa6c91268becd5693859c8edcb34f0f9fe49c095f0cb

SHA512
a0298e6f5dac59187f0c87338d12f2724debfc9ac69c8df9f1801302df579a17231909389fcabf11371c0d4b05704b409c960a278883524b78ed41b39de22841

Download Submit
C:\Users\Admin\AppData\Local\Regma\CrashRpt.dll

Filesize
121KB

MD5
b2d1f5e4a1f0e8d85f0a8aeb7b8148c7

SHA1
871078213fcc0ce143f518bd69caa3156b385415

SHA256
c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386

SHA512
1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

Download Submit
C:\Users\Admin\AppData\Local\Regma\ManyCam.exe

Filesize
1.7MB

MD5
ba699791249c311883baa8ce3432703b

SHA1
f8734601f9397cb5ebb8872af03f5b0639c2eac6

SHA256
7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

SHA512
6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

Download Submit
C:\Users\Admin\AppData\Local\Regma\cv099.dll

Filesize
664KB

MD5
2a8b33fee2f84490d52a3a7c75254971

SHA1
16ce2b1632a17949b92ce32a6211296fee431dca

SHA256
faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

SHA512
8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

Download Submit
C:\Users\Admin\AppData\Local\Regma\cxcore099.dll

Filesize
908KB

MD5
60ad2fc365dc3de0ce1fd191acc6a0b0

SHA1
8c85bf1b8734b150cf2afdfe64c1227dbef25393

SHA256
cf58a2f246d7d081986b44b14abc810c256c4f594738659e522476bcd7977d8c

SHA512
65b093547569a4c06028ec723be3d562102153741bd71a0dc6a16a2e96d56cb2101f5d1ebeddb235c570a12ec5834aa5f8529bf446dfc31f677d6150319bf65b

Download Submit
C:\Users\Admin\AppData\Local\Regma\cximagecrt.dll

Filesize
487KB

MD5
c36f6e088c6457a43adb7edcd17803f3

SHA1
b25b9fb4c10b8421c8762c7e7b3747113d5702de

SHA256
8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

SHA512
87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

Download Submit
C:\Users\Admin\AppData\Local\Regma\dbghelp.dll

Filesize
478KB

MD5
e458d88c71990f545ef941cd16080bad

SHA1
cd24ccec2493b64904cf3c139cd8d58d28d5993b

SHA256
5ec121730240548a85b7ef1f7e30d5fdbee153bb20dd92c2d44bf37395294ec0

SHA512
b1755e3db10b1d12d6eaffd1d91f5ca5e0f9f8ae1350675bc44ae7a4af4a48090a9828a8acbbc69c5813eac23e02576478113821cb2e04b6288e422f923b446f

Download Submit
C:\Users\Admin\AppData\Local\Regma\highgui099.dll

Filesize
388KB

MD5
a354c42fcb37a50ecad8dde250f6119e

SHA1
0eb4ad5e90d28a4a8553d82cec53072279af1961

SHA256
89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

SHA512
981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

Download Submit
C:\Users\Admin\AppData\Local\Regma\sobrt

Filesize
51KB

MD5
5ba0e4ef5bb61db3b1554a108118ed45

SHA1
1004db2678baa94e1a9f99e767673514b0122a21

SHA256
d26373617c8ef46daa7482688b17ae8153a633ea2fe75053282f0f4308903f57

SHA512
62b43ecc1dc6f5d58283b164278b01fe5fb00963d712d3d4ed5b97fcb22c7c46010142ffe65c2df74b80edd6e48754fddf446f23dc28787dc008e156d3f54b3c

Download Submit
C:\Users\Admin\AppData\Local\Regma\xtda

Filesize
1.1MB

MD5
7910d6147f32875538e6d887c32522ed

SHA1
50f9a0a38b87f48c655ab45de0e25637f070e12d

SHA256
45d1882a8df64a9fa624cd4538bb17161633ae66a5c4d0aea7d2f17a274a6416

SHA512
2de6830a7b9fcf8e6ed08c870bd531705f8094f79205761606b40655b75686205871aa92968b5e2568afd741f2a09363efbd296304c61beddce3ffd15e1de742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Demowordpad.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
C:\Users\Admin\AppData\Local\Temp\e11609c5

Filesize
1.6MB

MD5
a4739024322b0637b3c15c1e7a4b9436

SHA1
f80cad1b1337dd9cafe3143271254838ce31e10a

SHA256
e39a8cb89f47b8bc4bc5398fe5d58705f3487b15da0237bda42b468265ebc410

SHA512
d3985e478f73e73d6ee83e5dd7999b0bbeacfc21eb45d8b2fee77c267c0741be5f44267a49b353e8d3eb0dffc825ed9215511eca86720affc0ae325d65378cc4

Download Submit
C:\Windows\Installer\e57effd.msi

Filesize
2.8MB

MD5
a2a7ff35bd33480418bd39e0832d0875

SHA1
8cd2ec2310b1240ffa9944631c409e658cea03a7

SHA256
46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

SHA512
20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
add462a7e5ca3e836ea2a27661e777a9

SHA1
22d1d3dd84362d82c93cd575a20bb375d761404c

SHA256
9f9d025e38078311ce1e70c87467ec5f775d33745966893a6d68958370f1c46e

SHA512
f1cbd6b3f4efb82cbdd39d0ab0a10babf433d6782444c6ce2512c4a0e194dd6b68e996148fefdbb63408235420f080756440b9a6eabe2cadb1630a656453e455

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f44eb6c7-8776-46c5-b690-e912384155f4}_OnDiskSnapshotProp

Filesize
6KB

MD5
646e0f135d3b982cf763977d7a113cd8

SHA1
f200599b4ebdbb208710ab75480577323407673b

SHA256
620ed1989e53b3f61e194c06f32a3a516d3c0c4e0dfef25af91a025dd25f1663

SHA512
f17db9311c5c2d2f2bb1fbd8be0d6b484e81db6a85f6cea0d60873aa7b4cb51c6de12dcb883406669fb36f731eb550b6a220c8ef24019014f751c9f9e9456626

Download Submit
memory/2132-118-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2132-112-0x00007FFFF01F0000-0x00007FFFF03E5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-124-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2132-130-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2132-121-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2132-127-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2132-140-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2132-134-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2132-137-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2132-115-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2448-95-0x00007FFFF01F0000-0x00007FFFF03E5000-memory.dmp

Filesize
2.0MB

Download
memory/2448-83-0x0000000000B80000-0x0000000000C6C000-memory.dmp

Filesize
944KB

Download
memory/2448-97-0x0000000074C60000-0x0000000074DDB000-memory.dmp

Filesize
1.5MB

Download
memory/2448-86-0x0000000001CA0000-0x0000000001D02000-memory.dmp

Filesize
392KB

Download
memory/2448-93-0x0000000074C60000-0x0000000074DDB000-memory.dmp

Filesize
1.5MB

Download
memory/2448-89-0x0000000001D10000-0x0000000001D88000-memory.dmp

Filesize
480KB

Download
memory/4156-103-0x0000000074C60000-0x0000000074DDB000-memory.dmp

Filesize
1.5MB

Download
memory/4156-100-0x00007FFFF01F0000-0x00007FFFF03E5000-memory.dmp

Filesize
2.0MB

Download
memory/4580-52-0x0000000001D70000-0x0000000001DD2000-memory.dmp

Filesize
392KB

Download
memory/4580-49-0x0000000001CC0000-0x0000000001D6D000-memory.dmp

Filesize
692KB

Download
memory/4580-46-0x0000000001BD0000-0x0000000001CBC000-memory.dmp

Filesize
944KB

Download
memory/4580-56-0x0000000074C60000-0x0000000074DDB000-memory.dmp

Filesize
1.5MB

Download
memory/4580-57-0x00007FFFF01F0000-0x00007FFFF03E5000-memory.dmp

Filesize
2.0MB

Download