remcos | d86206ff8c66f58ccf62d599a169fae3f250af701ef166bed4e566aded9c5704

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0e3c9ecb2cbab4f3f697bfe6c28fa28_JaffaCakes118.rtf
Size

1.5MB
MD5

b0e3c9ecb2cbab4f3f697bfe6c28fa28
SHA1

b10ca2dec7389dfa62fb324e08db375cfd215923
SHA256

d86206ff8c66f58ccf62d599a169fae3f250af701ef166bed4e566aded9c5704
SHA512

30cd4940aefcf21d60bea7c77a69aa6676a3135b6e8b1db1525d0808ccb1e67ab959f1462326158df7b9e8f1601afb8b754853061596d66f35f9fcbb0c036d19
SSDEEP

24576:cvyWSQzUgsnF8fEhd25SFg4ctaVhLhuZSFIHFVao+N1Or8lECARJAbWbrQ/gQQoj:n

Score

10^/10

remcos zgrat ablcpanyc persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.2 Pro

Botnet

ablcpanyc

remmy.anythingwithalogo.ltd:30092

remmy.weichertfinancail.com:30091

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
amdrivers.exe
copy_folder
AMDI
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
7373hdjdhljd098381-ZYSJV4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
AMDI
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect ZGRat V2 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2728-61-0x0000000006D10000-0x0000000006D5C000-memory.dmp family_zgrat_v2
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1140 1192 cmd.exe WINWORD.EXE
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 4 IoCs

Processes:

exe.exeexe.exeamdrivers.exeamdrivers.exe

pid process

2728 exe.exe
532 exe.exe
1624 amdrivers.exe
1916 amdrivers.exe
Loads dropped DLL 11 IoCs

Processes:

cmd.exeexe.execmd.exeamdrivers.exe

pid process

1140 cmd.exe
2728 exe.exe
2728 exe.exe
2728 exe.exe
2728 exe.exe
2728 exe.exe
2204 cmd.exe
1624 amdrivers.exe
1624 amdrivers.exe
1624 amdrivers.exe
1624 amdrivers.exe

resource	yara_rule
behavioral1/memory/2728-61-0x0000000006D10000-0x0000000006D5C000-memory.dmp	family_zgrat_v2

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1140	1192	cmd.exe	WINWORD.EXE

pid	process
2728	exe.exe
532	exe.exe
1624	amdrivers.exe
1916	amdrivers.exe

pid	process
1140	cmd.exe
2728	exe.exe
2728	exe.exe
2728	exe.exe
2728	exe.exe
2728	exe.exe
2204	cmd.exe
1624	amdrivers.exe
1624	amdrivers.exe
1624	amdrivers.exe
1624	amdrivers.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

exe.exeamdrivers.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\AMDI = "\"C:\\Users\\Admin\\AppData\\Roaming\\AMDI\\amdrivers.exe\""	exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\AMDI = "\"C:\\Users\\Admin\\AppData\\Roaming\\AMDI\\amdrivers.exe\""	amdrivers.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

exe.exeamdrivers.exe

pid process

2728 exe.exe
1624 amdrivers.exe

pid	process
2728	exe.exe
1624	amdrivers.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

exe.exeamdrivers.exeamdrivers.exe

description	pid	process	target process
PID 2728 set thread context of 532	2728	exe.exe	exe.exe
PID 1624 set thread context of 1916	1624	amdrivers.exe	amdrivers.exe
PID 1916 set thread context of 696	1916	amdrivers.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NSIS installer 2 IoCs
installer

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_1
\Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_2
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2652 taskkill.exe

resource	yara_rule
\Users\Admin\AppData\Local\Temp\exe.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\exe.exe	nsis_installer_2

pid	process
2652	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1192 WINWORD.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

exe.exeamdrivers.exe

pid process

2728 exe.exe
1624 amdrivers.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exeexe.exeamdrivers.exe

description pid process

Token: SeDebugPrivilege 2652 taskkill.exe
Token: SeDebugPrivilege 2728 exe.exe
Token: SeDebugPrivilege 1624 amdrivers.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEamdrivers.exe

pid process

1192 WINWORD.EXE
1192 WINWORD.EXE
1916 amdrivers.exe

pid	process
1192	WINWORD.EXE

pid	process
2728	exe.exe
1624	amdrivers.exe

description	pid	process
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2728	exe.exe
Token: SeDebugPrivilege	1624	amdrivers.exe

pid	process
1192	WINWORD.EXE
1192	WINWORD.EXE
1916	amdrivers.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 1192 wrote to memory of 1140	1192	WINWORD.EXE	cmd.exe
PID 1192 wrote to memory of 1140	1192	WINWORD.EXE	cmd.exe
PID 1192 wrote to memory of 1140	1192	WINWORD.EXE	cmd.exe
PID 1192 wrote to memory of 1140	1192	WINWORD.EXE	cmd.exe
PID 1140 wrote to memory of 2728	1140	cmd.exe	exe.exe
PID 1140 wrote to memory of 2728	1140	cmd.exe	exe.exe
PID 1140 wrote to memory of 2728	1140	cmd.exe	exe.exe
PID 1140 wrote to memory of 2728	1140	cmd.exe	exe.exe
PID 1140 wrote to memory of 2652	1140	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 2652	1140	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 2652	1140	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 2652	1140	cmd.exe	taskkill.exe
PID 1140 wrote to memory of 2552	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2552	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2552	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2552	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2496	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2496	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2496	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2496	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2492	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2492	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2492	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2492	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2512	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2512	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2512	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2512	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2528	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2528	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2528	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2528	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2560	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2560	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2560	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2560	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2568	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2568	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2568	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2568	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2668	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2668	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2668	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2668	1140	cmd.exe	reg.exe
PID 1140 wrote to memory of 2888	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2888	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2888	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2888	1140	cmd.exe	cmd.exe
PID 2888 wrote to memory of 2936	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2936	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2936	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2936	2888	cmd.exe	reg.exe
PID 1140 wrote to memory of 2548	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2548	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2548	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2548	1140	cmd.exe	cmd.exe
PID 2548 wrote to memory of 2092	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2092	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2092	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2092	2548	cmd.exe	reg.exe
PID 1140 wrote to memory of 2328	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2328	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2328	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 2328	1140	cmd.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b0e3c9ecb2cbab4f3f697bfe6c28fa28_JaffaCakes118.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\task.bat
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\exe.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Local\Temp\exe.exe
C:\Users\Admin\AppData\Local\Temp\exe.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
5⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\AMDI\amdrivers.exe"
6⤵
- Loads dropped DLL
PID:2204

C:\Users\Admin\AppData\Roaming\AMDI\amdrivers.exe
C:\Users\Admin\AppData\Roaming\AMDI\amdrivers.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Roaming\AMDI\amdrivers.exe
C:\Users\Admin\AppData\Roaming\AMDI\amdrivers.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
9⤵
PID:696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
3⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
3⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
3⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
3⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
3⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
3⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
3⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
3⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
3⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
4⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
3⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
4⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
3⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
4⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
3⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
4⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
3⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
4⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
3⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
4⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
3⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
4⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
3⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
4⤵
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
420B

MD5
6f6842385a9017bd6716e0a3b460880d

SHA1
aa5fd067d6941b446cbd86547d634f68aaeb2aaf

SHA256
4c88d797379d89de9ba1f02d6a6393e5ab1caad2ecb137f9f6c1fb5f6559d196

SHA512
cef5d841b6265c040b57c7b2115fa405612496d301c0512021ee0888d8ebdc46b32253bb58d32f7951f203d43cec93db0cbe484f55cbc2dff9c53b7426f76e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct
Filesize
423B

MD5
37d1f4b225ea7008a1a5c0641d99a8a0

SHA1
52885e4d80a630d7975d4cb979f7fe75805c1453

SHA256
58ed6afc4e6b704e28a95bf35150ff767582e71f996009531dd81fe5251c4b7b

SHA512
7572f2e8df62c2abf30ab45a8bc83af9008b11933d3a745dfb9ad3687089872cd1b7eeb2e1a1a941014257a9b349d189c662b34f980d40d734561e5211125578

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3555.tmp\2czr4np0.fcy
Filesize
328KB

MD5
735cb5b5350e27fdf72d2e4d293b24fe

SHA1
3af2cb9758663705d341a38711039144a3f5e06f

SHA256
066bfa6261c09f7bf95bfb4e35d1e4fc6f5cb76e2e4c818f063cc3da032dc0fb

SHA512
dca77704290efd5abf82ac1e6b89c83bd9abd167f57a153d648dfa47ee4c151c7aa855693315f171de2d23e126ffe3865fd3860117852fb82ff6a868e176e77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3555.tmp\uxkgw1jx.fgu
Filesize
129KB

MD5
712781067acfeefb363f00c31f792c3d

SHA1
e5cee6941bdba10203a5ae670cba5a9ceeb16221

SHA256
5bd4f277203a37463cd60eea3321309447d0046c4a335c25df39a627df85964f

SHA512
a9351cf5f286dc7e14f34b786ea8318834c413e6343bdd5c54c83a93601c5408ac4061472057c39fad9e7cc1563ac484a2f95e8a982c9cce4ed91d654c5b2594

Download Submit
C:\Users\Admin\AppData\Local\Temp\task.bat
Filesize
2KB

MD5
87aa6f8b236f77ea6ba2960e339a2418

SHA1
de6de0f0344693ff9fbc1c342867afee5bce3725

SHA256
cd0170e8e982ec7e87a916d1fd137a7e056c97f64b269eb7696b361bc9c7d1b2

SHA512
132dc475f5189d3f63fcbbff5dd7e74a8262270121710a936b91e450979b67e6f205123c5cd063fe01520cf0d67c7082f5dbff04261aeb48776e6e9c9ce0d7d8

Download Submit
C:\Users\Admin\AppData\Roaming\AMDI\amdrivers.exe.config
Filesize
228B

MD5
4f27f5eb21bda1863ae582832b495911

SHA1
4d4c0a2ca10ff137d92c63ea76b8c5a6596c7044

SHA256
d96ad73b2f1668ade39462f1e2044d55b74d1a6090a5c15f4e2f5820e6d5ef4a

SHA512
0a79a6bfc8a4025ab3f3683eeb95643ec177a9c38660412f8eed97ec27a80ecbbeb4e0515f64df6dc42bf745645e812aedd09c67e1eeb91a2724cd05445f4e05

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat
Filesize
94B

MD5
a3a75a32fc9607d85ff2f59ddcf1d4f1

SHA1
96da1c32bc053d74e79a3dd687a476418f2f88e9

SHA256
e942135997a4fe0d9bc2e0a4a010787d57173b0a261dc64d261e2665a69c5e4f

SHA512
c9b7ea366bd43d80a9128aae87fe69757a5bf8d33747090927ea8adac61e3237f18347dcf4d5c407f9e525941fcb9e980ee2ec526e4833f8a703d512d3e23539

Download Submit
\Users\Admin\AppData\Local\Temp\exe.exe
Filesize
703KB

MD5
583a9cae566d49d367df028a0e28a72e

SHA1
e6d850eb1072cdc43ea2665a43e2cce50bd3a4e6

SHA256
8fbc89a2bc367c944c80fb7ad165071d4cc42522f43c7e1708eba0c34a7f4223

SHA512
9682d9b6abb85e3a06210303690ea6112ee33697b5bbcf84445453712a5038ec1f03721930f9f2bbc85ac53f4a0de707de951dffca0407d06da199bc628dc17a

Download Submit
\Users\Admin\AppData\Local\Temp\nst3555.tmp\CLR.dll
Filesize
93KB

MD5
732691c7a1ef4e7decb9d8c52010a709

SHA1
ecbf0bbcb051433d570e212e73a883f8e5f19996

SHA256
5f3573a00f3333d7587044f59b72511263103525d2cdfe79475c6726735d0812

SHA512
fcbde499f9592ae25b757e805892f43ffe50c475bc54ea3e992bc2db647e42d661c3dad2c4056da89fe4a62365f5b57df24d1083382ebdbd146bfb83d48d167a

Download Submit
\Users\Admin\AppData\Local\Temp\nst3555.tmp\System.dll
Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
memory/532-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/532-70-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/532-78-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-139-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-133-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-141-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-143-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/696-145-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/696-146-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1192-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1192-0-0x000000002F241000-0x000000002F242000-memory.dmp

Filesize
4KB

Download
memory/1192-30-0x00000000713FD000-0x0000000071408000-memory.dmp

Filesize
44KB

Download
memory/1192-2-0x00000000713FD000-0x0000000071408000-memory.dmp

Filesize
44KB

Download
memory/1624-112-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/1916-159-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-157-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-127-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-167-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-151-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-164-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-128-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-149-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-161-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-153-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1916-131-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2728-54-0x0000000006680000-0x00000000066FD000-memory.dmp

Filesize
500KB

Download
memory/2728-55-0x0000000004270000-0x00000000042B2000-memory.dmp

Filesize
264KB

Download
memory/2728-51-0x0000000004140000-0x000000000415C000-memory.dmp

Filesize
112KB

Download
memory/2728-53-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2728-61-0x0000000006D10000-0x0000000006D5C000-memory.dmp

Filesize
304KB

Download