Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Payment_Details.xll

windows7-x64

7

Payment_Details.xll

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment_Details.xll

  • Size

    1.5MB

  • MD5

    57b2f6818a666edddb86717ea7ce673d

  • SHA1

    0e2abb76ffb21662db683e6a178de13b49d0846b

  • SHA256

    48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152

  • SHA512

    0200bcf2504c45ee5364a0c0f71b5a3fcafd4d963dd4aa4fd59cfb7c502cdeff97aca6a47ca9654c6e890fe958a36fc148d935a2413d80ee7e8b016d17840d8a

  • SSDEEP

    24576:JoOOMX1pF+QHT+dP4jxk3uilvBENVpz0QCjDer62tB7rkKEyf:JoOO6+QHsPGmdlGf1dau62j7rk6

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xenorat

C2

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    60000

  • install_path

    temp

  • port

    1391

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment_Details.xll"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\b484589e-5bc1-4822-b761-fc942575461a.exe
      "C:\Users\Admin\AppData\Local\Temp\b484589e-5bc1-4822-b761-fc942575461a.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsfhxtr.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Users\Admin\AppData\Local\Temp\zgouble.sfx.exe
          zgouble.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -padfdyehngfszalhmyjfoalepodtyuiofxvflffugyRhvqxsdfHbgnmeU
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3528
          • C:\Users\Admin\AppData\Local\Temp\zgouble.exe
            "C:\Users\Admin\AppData\Local\Temp\zgouble.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4448
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\cfgdf.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3772
              • C:\Users\Admin\AppData\Roaming\cvghfy.sfx.exe
                cvghfy.sfx.exe -dC:\Users\Admin\AppData\Roaming -peyhrntdesczopthnymkdespbodtyuhngfszafugyRhvqxsdfHbgnmeL
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3644
                • C:\Users\Admin\AppData\Roaming\cvghfy.exe
                  "C:\Users\Admin\AppData\Roaming\cvghfy.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1472
                  • C:\Users\Admin\AppData\Roaming\cvghfy.exe
                    C:\Users\Admin\AppData\Roaming\cvghfy.exe
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1876
                    • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                      "C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2560
                      • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                        C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1320
                        • C:\Windows\SysWOW64\schtasks.exe
                          "schtasks.exe" /Create /TN "UpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8131.tmp" /F
                          12⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:2832
                      • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                        C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                        11⤵
                        • Executes dropped EXE
                        PID:1260
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 80
                          12⤵
                          • Program crash
                          PID:1176
                  • C:\Users\Admin\AppData\Roaming\cvghfy.exe
                    C:\Users\Admin\AppData\Roaming\cvghfy.exe
                    9⤵
                    • Executes dropped EXE
                    PID:1792
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 80
                      10⤵
                      • Program crash
                      PID:64
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pago.pdf"
        3⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2292
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=539EDBD1DA07C50AA8768A982797F8B3 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2956
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EE27AB1891A99462EED8E23582ACDC68 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EE27AB1891A99462EED8E23582ACDC68 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3180
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=24389C5924B1CBA3AD7C2681D5A6D5C2 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1696
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E9FE134749D798A0FE461DCC2B519C10 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4804
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=759A167030E1C38B77BE916F8BCD3B92 --mojo-platform-channel-handle=1968 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3684
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=12A46F472F487B4B7EA62A3550434957 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=12A46F472F487B4B7EA62A3550434957 --renderer-client-id=7 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1792 -ip 1792
    1⤵
      PID:1560
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1260 -ip 1260
      1⤵
        PID:1548
      • C:\Windows\System32\CompPkgSrv.exe
        C:\Windows\System32\CompPkgSrv.exe -Embedding
        1⤵
          PID:4340

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
          Filesize

          36KB

          MD5

          b30d3becc8731792523d599d949e63f5

          SHA1

          19350257e42d7aee17fb3bf139a9d3adb330fad4

          SHA256

          b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

          SHA512

          523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
          Filesize

          56KB

          MD5

          752a1f26b18748311b691c7d8fc20633

          SHA1

          c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

          SHA256

          111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

          SHA512

          a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
          Filesize

          64KB

          MD5

          db894048239d8bd3b137375283405b11

          SHA1

          b9b2c0b428fe2d00d661113b3744fd9f8eb18cc0

          SHA256

          ad208005fc4869e62fa6ec1a685a94ba2c60d4d6029aa0791430b0e2c824ab0e

          SHA512

          ea023f77dde9166d61724247de9a4b1c7950f48fd443b45ebc150444606db13845a983a68e1f070015d413944ab6820ab64a31ae851c5b4cefabb2c0a84c07b6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cvghfy.exe.log
          Filesize

          706B

          MD5

          d95c58e609838928f0f49837cab7dfd2

          SHA1

          55e7139a1e3899195b92ed8771d1ca2c7d53c916

          SHA256

          0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

          SHA512

          405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Pago.pdf
          Filesize

          30KB

          MD5

          fa0a0bc195062f035e0b7971ead10491

          SHA1

          ca2d4bd456ccba9fceb3f2b9ffefeb59615e12c9

          SHA256

          7a0e40d4c39eae8f7415cb44504e04c1baf41f57e797308f026409c7353ed03d

          SHA512

          c5a47170ad1ec061b37fd8c0726998400b144decccee65b9225184425da047e7abe007e17197c8423a5d9331c751d7f7d0512fa48de3fecbca0a5989e5c42ae4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Payment_Details.xll
          Filesize

          1.5MB

          MD5

          57b2f6818a666edddb86717ea7ce673d

          SHA1

          0e2abb76ffb21662db683e6a178de13b49d0846b

          SHA256

          48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152

          SHA512

          0200bcf2504c45ee5364a0c0f71b5a3fcafd4d963dd4aa4fd59cfb7c502cdeff97aca6a47ca9654c6e890fe958a36fc148d935a2413d80ee7e8b016d17840d8a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\b484589e-5bc1-4822-b761-fc942575461a.exe
          Filesize

          1.0MB

          MD5

          f32465a4fd980fa363d5572fa360b899

          SHA1

          f47515752d398ff6a0ef2defcc438fdec954bd85

          SHA256

          3304e525a58d809bbb50534a1288d1d9f5285bd77f313725cb48368642b10583

          SHA512

          e2969efb4e82a4c2ae9ad1064e194d57771faa66d111f6be76946c04ad01b6777813290daf8ccded11601cd407843e51d729f20ad0f396ff6f13849f424085ef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\bsfhxtr.cmd
          Filesize

          18KB

          MD5

          7d18436333f8f151e58c02a9c84648c1

          SHA1

          b254b3b902a5bed7894677d9b878c6eb589641b4

          SHA256

          078332289fe77ede5a5f3feb6c3393fb893605b3ec1545df450ab750a4059a29

          SHA512

          e7070bf486272935b22d78e8fe3f284a20351528b4919783c312fdcb5ec35c1dd90d3e0efb2cd040160cbaa471b8ab52bcc2c67ff443c611a858a9514b987bc5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp8131.tmp
          Filesize

          1KB

          MD5

          ab249650b85443ac128c24bb9feed685

          SHA1

          fad1eccebd31e34a6849d53e748397732b1b58bd

          SHA256

          3397551e013d6e71e90ff8e849475d966ad00abed7dc4462ab620e1f00c5a19f

          SHA512

          a02c890e9733b6c210b64df1e2addee8ae256096e92c3380d8b0a912fa2804d796046d15e7855fee9c8548de45977a71fdcc517c25721eb8501704e2d7ac8132

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zgouble.exe
          Filesize

          625KB

          MD5

          58133b496a35609d10cc64215b5fc990

          SHA1

          dc6bb593c22e664a8d7629e0663820f9207592d1

          SHA256

          2d08e8130fcd20c4e4332010481247cf00062af6cafbbfd4cbe096a9c62d5d7d

          SHA512

          4d2a18cd02f214740d1834930246da55757ff92edec2b1fc64191ab4fc612a3a18cbaa443f9ef5329f5be6150b1487bc0f5c7bff5c5b4469c5bdd9517a526cc8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zgouble.sfx.exe
          Filesize

          768KB

          MD5

          edc939823a0d0ac63f84ef49acaf014b

          SHA1

          5d3603cab47e2df3d49414a58b762e50a9c948ba

          SHA256

          72722737a28ed8371130b181f99a12bd7f43b9cb9043e7a1257c08394e57e17b

          SHA512

          4bcab61622c4f08430199aafd36556416ccbb0a2693162418d929de9190bcadf8ff86c415e2c3e0b989eeb8cbb498a3c2d68296aff0ca05b8355aa464f298914

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
          Filesize

          1KB

          MD5

          924d66f05f2ca2274f0d2e5adc099ef4

          SHA1

          da80a66ac1860592e95ccb59c979cbd375be7b5a

          SHA256

          632c0e9c9efc38d840f05dba1698bfd75d8b0d5113e29a6cff23532dc2fb2dce

          SHA512

          669a73b9c0fa6d174dbea0ca8bd9e30024e9f7d1910d9287154dcc0a5e9db1279ea475183ce1f344632a909c4a5a43fcfdbaab315f6500e6891702e46a4cd742

          Download Submit

        • C:\Users\Admin\AppData\Roaming\cfgdf.bat
          Filesize

          18KB

          MD5

          67605d4576fc9218ca922faaccf44961

          SHA1

          0f4adb98ea10f90b3984a10837aa2c653700986b

          SHA256

          18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8

          SHA512

          ef570ad9ebbe64245a8b6d972c77c6dd96adf869e06e8834754a2f90b4c8171a66233db3d27938b3ec30e19ec070dfac2160d7e5b58f477c3d44a20d2be16707

          Download Submit

        • C:\Users\Admin\AppData\Roaming\cvghfy.exe
          Filesize

          246KB

          MD5

          81803959df039efd73a59e513065ea5c

          SHA1

          22328ae1cbf3c7e21b374bfcff7938d3f11f6459

          SHA256

          46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

          SHA512

          a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\cvghfy.sfx.exe
          Filesize

          477KB

          MD5

          68b0b2d1155fbefde17060028186ef37

          SHA1

          39fcab2dbbaaf0c92a7af7179fd4932d6c8758e8

          SHA256

          29cce673a99fc812b911d71447ebc7c27240185d68471275d5878d15b5412724

          SHA512

          1d4c0eb0c668c4b4ecd3daddcd73f78ec72509f8b867ab82813aae8a4cf0ea94fc471454caf63b5b5b5da280ebcb5841b52bcc39b91ec2741d0c3d6a74bf694a

          Download Submit

        • memory/1472-99-0x0000000000DC0000-0x0000000000E06000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1472-100-0x0000000003100000-0x0000000003106000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1472-101-0x00000000056A0000-0x00000000056E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1472-102-0x000000000E2A0000-0x000000000E33C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1472-103-0x000000000E8F0000-0x000000000EE94000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1472-106-0x000000000E3E0000-0x000000000E472000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1472-107-0x00000000051B0000-0x00000000051B6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1876-108-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2544-37-0x000002B31A7C0000-0x000002B31A8CC000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2544-14-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-28-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-31-0x000002B31A640000-0x000002B31A7C4000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2544-30-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-27-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-26-0x000002B302250000-0x000002B302264000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2544-35-0x000002B31A4C0000-0x000002B31A4FC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2544-36-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-3-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2544-40-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-25-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-24-0x000002B302250000-0x000002B302264000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2544-23-0x000002B300AE0000-0x000002B300C6F000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2544-7-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-16-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-19-0x00007FFD4AB00000-0x00007FFD4AB10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2544-18-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-17-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-15-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-10-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-29-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-13-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-12-0x00007FFD4AB00000-0x00007FFD4AB10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2544-104-0x00007FFD8D3CD000-0x00007FFD8D3CE000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2544-105-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-11-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-9-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-8-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-6-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-129-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-130-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-155-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-162-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-163-0x00007FFD8D330000-0x00007FFD8D525000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2544-0-0x00007FFD8D3CD000-0x00007FFD8D3CE000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2544-1-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2544-5-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2544-4-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2544-2-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2688-267-0x000000000B5D0000-0x000000000B87B000-memory.dmp

          Filesize

          2.7MB

          Download